Control: 1.4 Ensure IAM password policy requires minimum length of 14 or greater

Description

Password policies are used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a certain length and are composed of certain characters.

It is recommended the password policy require a minimum password length 14 characters and contain 1 non-alphabetic character (Number or “Special Character”).

In keeping with the overall goal of having users create a password that is not overly weak, an eight-character minimum password length is recommended for an MFA account, and 14 characters for a password only account. In addition, maximum password length should be made as long as possible based on system/software capabilities and not restricted by policy.

In general, it is true that longer passwords are better (harder to crack), but it is also true that forced password length requirements can cause user behavior that is predictable and undesirable. For example, requiring users to have a minimum 16-character password may cause them to choose repeating patterns like fourfourfourfour or passwordpassword that meet the requirement but aren’t hard to guess. Additionally, length requirements increase the chances that users will adopt other insecure practices, like writing them down, re-using them or storing them unencrypted in their documents.

Password composition requirements are a poor defense against guessing attacks. Forcing users to choose some combination of upper-case, lower-case, numbers, and special characters has a negative impact. It places an extra burden on users and many will use predictable patterns (for example, a capital letter in the first position, followed by lowercase letters, then one or two numbers, and a “special character” at the end). Attackers know this, so dictionary attacks will often contain these common patterns and use the most common substitutions like, $ for s, @ for a, 1 for l, 0 for o.

Passwords that are too complex in nature make it harder for users to remember, leading to bad practices. In addition, composition requirements provide no defense against common attack types such as social engineering or insecure storage of passwords.

Remediation

From Console

OCI Native IAM

1. Login to OCI Console.
2. Go to Identity in the Services menu.
3. Select Authentication Settings from the Identity menu.
4. Click Edit in the middle of the page.
5. Type the number 14 into the box below the text: MINIMUM PASSWORD LENGTH (IN CHARACTERS).
6. Select checkbox next to MUST CONTAIN AT LEAST 1 SPECIAL CHARACTER OR MUST CONTAIN AT LEAST 1 NUMERIC CHARACTER.

OCI Identity Cloud Service (IDCS)

1. Login to IDCS Admin Console.
2. Expand the Navigation Drawer, click Settings, and then click Password Policy.
3. Click on Change Your Password Policy button.
4. Update the Password length min size setting to 14.
5. Click Save.
6. Under The password must contain these characters section, update the number given in Special min setting to 1 or Under The password must contain these characters section, update the number given in Numeric min setting to 1.
7. Click Save.