5.3.1 Ensure password creation requirements are configured - ucredit

Information

The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options.
- retry=3 - Allow 3 tries before sending back a failure.
The following options are set in the /etc/security/pwquality.conf file:
- minlen = 14 - password must be 14 characters or more
- dcredit = -1 - provide at least one digit
- ucredit = -1 - provide at least one uppercase character
- ocredit = -1 - provide at least one special character
- lcredit = -1 - provide at least one lowercase character
The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies.
Rationale:
Strong passwords protect systems from being hacked through brute force methods.

Solution

Run the following command to install the pam_pwquality module:
apt-get install libpam-pwquality
Edit the /etc/pam.d/common-password file to include the appropriate options for pam_pwquality.so and to conform to site policy:
password requisite pam_pwquality.so retry=3
Edit /etc/security/pwquality.conf to add or update the following settings to conform to site policy:
minlen = 14
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1
Notes:
Additional module options may be set, recommendation requirements only cover including try_first_pass and minlen set to 14 or more.
Settings in /etc/security/pwquality.conf must use spaces around the = symbol.

See Also

https://workbench.cisecurity.org/files/2429

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv6|5.7, CSCv6|16.12, CSCv7|4.4

Plugin: Unix

Control ID: d82d48b0578a9892073ad683992a0638222d54bc2ae676579c062a247131cea7