Title: The DBMS must enforce password minimum lifetime restrictions.
Vulnerability ID: V-32470
IA Controls: None
Description: Password minimum lifetime is the minimum period of time, (typically in days) a user’s password must be in effect before the user can change it.
Restricting this setting limits the user’s ability to change their password. Passwords need to be changed at specific policy based intervals, however if the application allows the user to immediately and continually change their password then the password could be repeatedly changed in a short period of time defeating the organizations policy regarding password reuse.
Not enforcing password minimum lifetime restrictions would allow users to keep using the same password repeatedly by immediately changing their password X number of times. This would effectively negate password policy.
Check Text: Review DBMS settings and function logic or have the DBA demonstrate a password change to ensure minimum lifetime restrictions exist and are enforced. If minimum lifetime restrictions do not exist, this is a finding.
Fix Text: Define, configure, and test a password verify feature or function that authenticates passwords on change to ensure changes to passwords fall outside of minimum lifetime restrictions.[divider]