5.2.2 Set a minimum password length

Information

A minimum password length is the fewest number of characters a password can contain to meet a system's requirements.

Ensure that a minimum of a 15 character password is part of the password policy on the computer.

Where the confidentiality of encrypted information in FileVault is more of a concern requiring a longer password or passphrase may be sufficient rather than imposing additional complexity requirements that may be self-defeating.

Rationale:

Information systems that are not protected with strong password schemes including passwords of minimum length provide a greater opportunity for attackers to crack the password and gain access to the system.

Impact:

Short passwords can be easily attacked.

Solution

Run the following command to set the password length to greater than or equal to 15:

$ sudo pwpolicy -a <administratoraccount> -setaccountpolicies 'minChars=<value>=15>'

example:

$ sudo pwpolicy -a firstuser -setglobalpolicy 'minChars=15'

See Also

https://workbench.cisecurity.org/files/3013

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(a)

Plugin: Unix

Control ID: a17121e89c6aace0d9a9abc19a29084fc7d88970dc4e3b1419cd790333c4babb