5.2.2 Set a minimum password length

Information

A minimum password length is the fewest number of characters a password can contain to meet a system's requirements.

Ensure that a minimum of a 15 character password is part of the password policy on the computer.

Where the confidentiality of encrypted information in FileVault is more of a concern requiring a longer password or passphrase may be sufficient rather than imposing additional complexity requirements that may be self-defeating.

Rationale:

Information systems that are not protected with strong password schemes including passwords of minimum length provide a greater opportunity for attackers to crack the password and gain access to the system.

Impact:

Short passwords can be easily attacked.

Solution

Run the following command to set the password length to greater than or equal to 15:

$ sudo pwpolicy -a <administratoraccount> -setaccountpolicies 'minChars=<value>=15>'

example:

$ sudo pwpolicy -a firstuser -setglobalpolicy 'minChars=15'

See Also

https://workbench.cisecurity.org/files/3092

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(a)

Plugin: Unix

Control ID: 64a668eb4887f9d3de6d95473a1b7e688892b2ae3426f12990fcefa21be347de