Detections
Analytics
5.3.3.2.3 Ensure password complexity is configured
Information
Password complexity can be set through:- minclass - The minimum number of classes of characters required in a new password. (digits, uppercase, lowercase, others). e.g. minclass = 4 requires digits, uppercase, lower case, and special characters.
- dcredit - The maximum credit for having digits in the new password. If less than 0 it is the minimum number of digits in the new password. e.g. dcredit = -1 requires at least one digit
- ucredit - The maximum credit for having uppercase characters in the new password. If less than 0 it is the minimum number of uppercase characters in the new password. e.g. ucredit = -1 requires at least one uppercase character
- ocredit - The maximum credit for having other characters in the new password. If less than 0 it is the minimum number of other characters in the new password. e.g. ocredit = -1 requires at least one special character
- lcredit - The maximum credit for having lowercase characters in the new password. If less than 0 it is the minimum number of lowercase characters in the new password. e.g. lcredit = -1 requires at least one lowercase character
Strong passwords protect systems from being hacked through brute force methods.
Requiring at least one non-alphabetic character increases the search space beyond pure dictionary words, which makes the resulting password harder to crack.
Forcing users to choose an excessively complex password, e.g. some combination of upper-case, lower-case, numbers, and special characters, has a negative impact. It places an extra burden on users and many will use predictable patterns (for example, a capital letter in the first position, followed by lowercase letters, then one or two numbers, and a "special character" at the end). Attackers know this, so dictionary attacks will often contain these common patterns and use the most common substitutions like, $ for s, @ for a, 1 for l, 0 for o.
Solution
Run the following command:# grep -Pl -- 'bpam_pwquality.soh+([^#
r]+h+)?(minclass|[dulo]credit)b' /usr/share/pam-configs/*
Edit any returned files and remove the minclass dcredit ucredit lcredit and ocredit arguments from the pam_pwquality.so line(s)
Create or modify a file ending inconf in the /etc/security/pwquality.conf.d/ directory or the file /etc/security/pwquality.conf and add or modify the following line(s) to set complexity according to local site policy:
- minclass = _N_
- dcredit = _N_ # Value should be either 0 or a number proceeded by a minus ( - ) symbol
- ucredit = -1 # Value should be either 0 or a number proceeded by a minus ( - ) symbol
- ocredit = -1 # Value should be either 0 or a number proceeded by a minus ( - ) symbol
- lcredit = -1 # Value should be either 0 or a number proceeded by a minus ( - ) symbol
Example 1 - Set minclass = 3 :
#!/usr/bin/env bash
{
sed -ri 's/^s*minclasss*=/# &/' /etc/security/pwquality.conf
sed -ri 's/^s*[dulo]credits*=/# &/' /etc/security/pwquality.conf
[ ! -d /etc/security/pwquality.conf.d/ ] && mkdir /etc/security/pwquality.conf.d/
printf '
%s' "minclass = 3" > /etc/security/pwquality.conf.d/50-pwcomplexity.conf
}
Example 2 - set dcredit = -1 ucredit = -1 and lcredit = -1 :
#!/usr/bin/env bash
{
sed -ri 's/^s*minclasss*=/# &/' /etc/security/pwquality.conf
sed -ri 's/^s*[dulo]credits*=/# &/' /etc/security/pwquality.conf
[ ! -d /etc/security/pwquality.conf.d/ ] && mkdir /etc/security/pwquality.conf.d/
printf '%s
' "dcredit = -1" "ucredit = -1" "lcredit = -1" > /etc/security/pwquality.conf.d/50-pwcomplexity.conf
}
Impact:
Passwords that are too complex in nature make it harder for users to remember, leading to bad practices. In addition, composition requirements provide no defense against common attack types such as social engineering or insecure storage of passwords
See Also
Item Details
Audit Name: CIS Debian Linux 12 v1.1.0 L1 Server
Category: IDENTIFICATION AND AUTHENTICATION
References: 800-53|IA-5(1), CSCv7|4.4
Plugin: Unix
Control ID: 006b6ccea0919f400a09414f4950e74ad858a9ed5815c7c396207ededabf2fa2