5.3.1 Ensure password creation requirements are configured - try_first_pass

Information

The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality .so options.

- try_first_pass - retrieve the password from a previous stacked PAM module. If not available, then prompt the user for a password.
- retry=3 - Allow 3 tries before sending back a failure.

The following options are set in the /etc/security/pwquality.conf file:

- minlen = 14 - password must be 14 characters or more
- dcredit = -1 - provide at least one digit
- ucredit = -1 - provide at least one uppercase character
- ocredit = -1 - provide at least one special character
- lcredit = -1 - provide at least one lowercase character

The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies.

Rationale:

Strong passwords protect systems from being hacked through brute force methods.

Solution

Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the appropriate options for pam_pwquality.so and to conform to site policy:


password requisite pam_pwquality.so try_first_pass retry=3

Edit /etc/security/pwquality.conf to add or update the following settings to conform to site policy:

- minlen = 14
- dcredit = -1
- ucredit = -1
- ocredit = -1
- lcredit = -1

See Also

https://workbench.cisecurity.org/files/2449

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: 9287c69a139030164b0178f494babac476a7d54a2634cd189f151c2924657142