Passwords: Minimum length

e352dda0-c735-4b4e-ba26-097f5dbab32c

Types of password attacks include dictionary attacks (which attempt to use common words and phrases) and brute force attacks (which try every possible combination of characters). Also, attackers sometimes try to obtain the account database so they can use tools to discover the accounts and passwords.

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/minimum-password-length

STIG recommends a minimum password length of 14 characters.

Remediation

Configure the password policy setting to a minimum of 8, although a higher setting provides better security: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/minimum-password-length

Stig Server 2016: https://www.stigviewer.com/stig/windows_server_2016/2019-01-16/finding/V-73321
Server 2019: https://www.stigviewer.com/stig/microsoft_windows_server_2019/2021-08-18/finding/V-205662
Stig Desktop: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63423

To fix this configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Minimum password length" to "14" characters.

NIST 800-171 Rev2: 3.5.1, 3.5.2
NIST 800-171A: 3.5.1[a]. 3.5.1[b], 3.5.1[c]
CMMC V2.0 v1.02 Mapping: IA.1.076 IA.1.077
CMMC V2.0 Level 1 / 2 / 3: IA.L1-3.5.1, IA.L1-3.5.2
CMMC v1: IA.1.077
AICPA TSC 2017: CC6.1
CIS CSC v8: 5.5, 5.6, 6.7, 12.5
COBIT: DSS05.04
CSA CMM v4: IAM-13 IAM-16
IEC 62443-4-2: CR 1.1 (5.3.1) CR 1.1 (5.3.3(1))
ISO 27002: 5.15
ISO 27018: A.10.10
MPA Content Security Program: DS-10.0 DS-8.0
NIST Privacy Framework v1.0: PR.AC-P1 PR.AC-P6
NIST 800-53: IA-2
NIST 800-82: IA-2
NIST 800-161: IA-2
NIST CSF v1.1: PRAC-6
PCIDSS v3.2: 8.1.1, 8.2
PCIDSS v4.0: 7.1, 7.2, 7.2.1, 7.3, 7.3.1, 7.3.2, 7.3.3, 8.1, 8.2, 8.3, 8.3.3, 8.3.9
Shared Assessments SIG 2022: H.3
Tisax ISA v5.1.0: 4.1.1
US CERT RMM v1.2: AM:SG1.SP1, ID:SG1.SP1, ID:SG1.SP2, ID:SG1.SP3, TM:SG4.SP4
US FAR 52.204-21: 52.204-21(b)(1)(i), 52.204-21(b)(1)(v), 52.204-21(b)(1)(vi)
US HIPAA: 164.312(a)(2)(i)
US IRS 1075: 9.3.7.2