5.3.1 Ensure password creation requirements are configured - /etc/pam.d/* ocredit

Information

Strong passwords protect systems from being hacked through brute force methods.

Solution

Set password creation requirements to conform to site policy. Many distributions provide tools for updating PAM configuration, consult your documentation for details. If no tooling is provided edit the appropriate /etc/pam.d/ configuration file and add or modify the pam_cracklib.so or pam_pwquality.so lines to include the required option:
password required pam_cracklib.so try_first_pass retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
password requisite pam_pwquality.so try_first_pass retry=3

If pam_pwquality.so is in use also configure settings in /etc/security/pwquality.conf:
minlen=14
dcredit=-1
ucredit=-1
ocredit=-1
lcredit=-1

See Also

https://workbench.cisecurity.org/files/1856

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5, CSCv6|5.7, CSCv6|16.12

Plugin: Unix

Control ID: 532a6f265c720801df270496ae6f2cbedc3c485a0263863ff42813b8f14b9a18