1.6 Enforce password complexity - exec sp_passwordpolicy 'list'

Information

Sybase ASE 15.0 and 15.0.1 supports enforcing password complexity via:

. Setting the login mode to Integrated Mode so that password policy is enforced by
the Windows domain.

. A configuration parameter to enforce server-wide, per user account and per role
minimum password length (set to 0 by default)
. A configuration parameter to enforce at least one digit in a password (disabled by
default)

Sybase ASE 15.0.2 supports the above settings as well as more granular password
complexity via:

. A setting to enforce that a login name cannot be a substring of the password.
. A setting to enforce the minimum number of special characters for the password.
. A setting to enforce the minimum number of alphabetic characters for the password
. A setting to enforce the minimum number of upper-case letters for the password.
. A setting to enforce the minimum number of lower-case letters for the password.
. A setting to enforce that the password must be reset is the first time a login is used.
. A setting to enforce the minimum number of digits for the password.


In addition, Sybase ASE 15.0.2 supports the creation of a stored procedure to enforce
custom password complexity requirements.


It is recommended that strong password complexity is enforced in accordance with your
organizations policy. It may not be possible to enforce a sufficient policy on ASE 15.0 and
ASE 15.0.1; if this is the case the System Security Officer should consider one of the
following solutions:

. Upgrade systems to ASE 15.0.2 in order to make use of the more extensive password
complexity options.
. Enable Integrated Mode to rely on the Windows domain password policy.
. Accept the risk associated with the policy conflict and regularly audit password
strength using a password cracking tool.

Rationale:

Arguably the most common cause of database compromise is weak passwords. Setting
password complexity is essential step to ensuring the security and integrity of the data
within the database.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

1. Connect to the ASE server as a user with the sso_role and execute the following
SQL statement in order to set a system-wide minimum password length according
to your organizations password (substitute 8 for an acceptable value):

exec sp_configure 'minimum password length', 8

2. Set a custom minimum password length for specific users and roles as required.
This should not be less than the system-wide length. This can be accomplished via
the sp_modifylogin stored procedure.

3. Execute the following statement to enforce at least one digit in passwords:

exec sp_configure 'check password for digit', 1

See Also

https://workbench.cisecurity.org/files/1612

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(a)

Plugin: SybaseDB

Control ID: 3b21216b69d02da024291c37200f955f988851fe8f449f071fdad0ef8d504b01