5.3.5 Ensure minimum and maximum requirements are set for password changes - difok

Information

The operating system must be configured so that when passwords are changed a minimum of 8 of the total number of characters must be changed and a minimum of 4 character classes must be changed. The operating system must also be configured so that when passwords are changed the number of repeating consecutive characters must not be more than 3 characters and the number of repeating characters of the same character class must not be more than 4 characters. The operating system must be configured so that passwords are a minimum of 15 characters in length.

Rationale:

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Solution

Configure the operating system to require the change of at least 8 of the total number of characters when passwords are changed by setting the difok option and the minclass option and the maxrepeat option and the maxclassrepeat and the minlen option as defined below.
Add the following lines to /etc/security/pwquality.conf (or modify the line to have the required value):
Example: vim /etc/security/pwquality.conf

difok = 8
minclass = 4
maxrepeat = 3
maxclassrepeat = 4
minlen = 15

Impact:

Consult your documentation for the appropriate PAM file and module. Additional module options may be set, recommendation requirements only cover including try_first_pass and minlen set to 14 or more. Settings in /etc/security/pwquality.conf must use spaces around the = symbol.

Notes:

This Benchmark recommendation maps to:

Red Hat Enterprise Linux 7 Security Technical Implementation Guide:

Version 2, Release: 3 Benchmark Date: 26 Apr 2019



Vul ID: V-71911

Rule ID: SV-86535r2_rule

STIG ID: RHEL-07-010160

Severity: CAT II



Vul ID: V-71913

Rule ID: SV-86537r2_rule

STIG ID: RHEL-07-010170

Severity: CAT II



Vul ID: V-71915

Rule ID: SV-86539r3_rule

STIG ID: RHEL-07-010180

Severity: CAT II



Vul ID: V-71917

Rule ID: SV-86541r2_rule

STIG ID: RHEL-07-010190

Severity: CAT II



Vul ID: V-71935

Rule ID: SV-86559r2_rule

STIG ID: RHEL-07-010280

Severity: CAT II

See Also

https://workbench.cisecurity.org/files/2688

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(b)

Plugin: Unix

Control ID: ed5506ebf3442c7d20b1ccdc44d608bfc323f4927cf0ce95d12c79f0e954e3e9