4.4.2.2.2 Ensure password number of changed characters is configured

Information

The pwquality difok option sets the number of characters in a password that must not be present in the old password.

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Solution

Edit or add the following line in /etc/security/pwquality.conf to a value of 2 or more and meets local site policy:

difok = 2

Example:

# sed -ri 's/^s*difoks*=/# &/' /etc/security/pwquality.conf
# printf '
%s' "difok = 2" >> /etc/security/pwquality.conf

Run the following script to remove setting difok on the pam_pwquality.so module in the PAM files:

#!/usr/bin/env bash

{
for l_pam_file in system-auth password-auth; do
sed -ri 's/(^s*passwords+(requisite|required|sufficient)s+pam_pwquality.so.*)(s+difoks*=s*S+)(.*$)/14/' /etc/pam.d/"$l_pam_file"
done
}

See Also

https://workbench.cisecurity.org/benchmarks/15962

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: 1a85defc1e51637ae5a0c84086d4415002e9303bf694f4109becacab17645c01