5.3.3.2.3 Ensure password complexity is configured

Information

Password complexity can be set through:

- minclass - The minimum number of classes of characters required in a new password. (digits, uppercase, lowercase, others). e.g. minclass = 4 requires digits, uppercase, lower case, and special characters.
- dcredit - The maximum credit for having digits in the new password. If less than 0 it is the minimum number of digits in the new password. e.g. dcredit = -1 requires at least one digit
- ucredit - The maximum credit for having uppercase characters in the new password. If less than 0 it is the minimum number of uppercase characters in the new password. e.g. ucredit = -1 requires at least one uppercase character
- ocredit - The maximum credit for having other characters in the new password. If less than 0 it is the minimum number of other characters in the new password. e.g. ocredit = -1 requires at least one special character
- lcredit - The maximum credit for having lowercase characters in the new password. If less than 0 it is the minimum number of lowercase characters in the new password. e.g. lcredit = -1 requires at least one lowercase character

Strong passwords protect systems from being hacked through brute force methods.

Requiring at least one non-alphabetic character increases the search space beyond pure dictionary words, which makes the resulting password harder to crack.

Forcing users to choose an excessively complex password, e.g. some combination of upper-case, lower-case, numbers, and special characters, has a negative impact. It places an extra burden on users and many will use predictable patterns (for example, a capital letter in the first position, followed by lowercase letters, then one or two numbers, and a "special character" at the end). Attackers know this, so dictionary attacks will often contain these common patterns and use the most common substitutions like, $ for s, @ for a, 1 for l, 0 for o.

Solution

Run the following command:

# grep -Pl -- 'bpam_pwquality.soh+([^#
r]+h+)?(minclass|[dulo]credit)b' /usr/share/pam-configs/*

Edit any returned files and remove the minclass dcredit ucredit lcredit and ocredit arguments from the pam_pwquality.so line(s)

Create or modify a file ending inconf in the /etc/security/pwquality.conf.d/ directory or the file /etc/security/pwquality.conf and add or modify the following line(s) to set complexity according to local site policy:

- minclass = _N_
- dcredit = _N_ # Value should be either 0 or a number proceeded by a minus ( - ) symbol
- ucredit = -1 # Value should be either 0 or a number proceeded by a minus ( - ) symbol
- ocredit = -1 # Value should be either 0 or a number proceeded by a minus ( - ) symbol
- lcredit = -1 # Value should be either 0 or a number proceeded by a minus ( - ) symbol

Example 1 - Set minclass = 3 :

#!/usr/bin/env bash

{
sed -ri 's/^s*minclasss*=/# &/' /etc/security/pwquality.conf
sed -ri 's/^s*[dulo]credits*=/# &/' /etc/security/pwquality.conf
[ ! -d /etc/security/pwquality.conf.d/ ] && mkdir /etc/security/pwquality.conf.d/
printf '
%s' "minclass = 3" > /etc/security/pwquality.conf.d/50-pwcomplexity.conf
}

Example 2 - set dcredit = -1 ucredit = -1 and lcredit = -1 :

#!/usr/bin/env bash

{
sed -ri 's/^s*minclasss*=/# &/' /etc/security/pwquality.conf
sed -ri 's/^s*[dulo]credits*=/# &/' /etc/security/pwquality.conf
[ ! -d /etc/security/pwquality.conf.d/ ] && mkdir /etc/security/pwquality.conf.d/
printf '%s
' "dcredit = -1" "ucredit = -1" "lcredit = -1" > /etc/security/pwquality.conf.d/50-pwcomplexity.conf
}

Impact:

Passwords that are too complex in nature make it harder for users to remember, leading to bad practices. In addition, composition requirements provide no defense against common attack types such as social engineering or insecure storage of passwords

See Also

https://workbench.cisecurity.org/benchmarks/18960

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: 006b6ccea0919f400a09414f4950e74ad858a9ed5815c7c396207ededabf2fa2