Information
Defines the loadable password algorithm used when storing user passwords.
Rationale:
A development since AIX 5.1 was the ability to use different password algorithms as defined in /etc/security/pwdalg.cfg. The traditional UNIX password algorithm is crypt, which is a one-way hash function supporting only 8 character passwords. The use of brute force password guessing attacks means that crypt no longer provides an appropriate level of security and so other encryption mechanisms are recommended.
The recommendation of this benchmark is to set the password algorithm to ssha512. This algorithm supports long passwords, up to 255 characters in length and allows passphrases including the use of the extended ASCII table and the space character. Any passwords already set using crypt will be recognized. When the password is reset the new password hash algorithm will be used to encrypt the password.
Impact:
A password algorithm other than crypt is required to support a password minlen greater than 8 (eight) characters.
SHA512 password encryption is recommended as the most secure.
Solution
In the file /etc/security/login.cfg set the usw stanza attribute pwd_algorithm to ssha512:
#!/usr/bin/ksh -e
# chk_algorithm:5.2.1
# Provided to CIS by AIXTools
# Copyright AIXTools, 2022
EXPECT='usw pwd_algorithm=ssha512'
CMD='lssec -f /etc/security/login.cfg -s usw -a pwd_algorithm'
TST=$(${CMD})
[[ ${TST} == ${EXPECT} ]] && exit 0
chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha512
exit $?
Default Value:
crypt
Additional Information:
Consider looking for passwords encrypted using crypt and set the ADMCHG flag to initiate a password change at next login.