5.4.1 Ensure password creation requirements are configured - password-auth try_first_pass

Information

The pam_cracklib.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_cracklib.so options.

try_first_pass - retrieve the password from a previous stacked PAM module. If not available, then prompt the user for a password.

retry=3 - Allow 3 tries before sending back a failure.

minlen=14 - password must be 14 characters or more

dcredit=-1 - provide at least one digit

ucredit=-1 - provide at least one uppercase character

ocredit=-1 - provide at least one special character

lcredit=-1 - provide at least one lowercase character

The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies.

Rationale:

Strong passwords protect systems from being hacked through brute force methods.

Solution

Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the appropriate options for pam_cracklib.so and to conform to site policy:

password requisite pam_cracklib.so try_first_pass retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1

Additional Information:

authconfig may overwrite any changes made as part of this recommendation. It is advisable to maintain a backup and audit this recommendation anytime authconfig is used.

Additional module options may be set, recommendation requirements only cover including try_first_pass and minlen set to 14 or more.

See Also

https://workbench.cisecurity.org/files/3148

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv6|5.7, CSCv6|16.12, CSCv7|4.4

Plugin: Unix

Control ID: 82b0538fd6cb6362c275e3c8a9fb7f8e22b8886e596be9c4c8b2bdb97ffba3c6