7.6 Ensure Password Complexity Policies are in Place - 'validate_password_special_char_count'

Information

Password complexity includes password characteristics such as length, case, numerical, and character sets.

Rationale:

Complex passwords help mitigate dictionary, brute forcing, and other password attacks. This recommendation prevents users from choosing weak passwords which can easily be guessed.

Impact:

Remediation for this recommendation requires a server restart.

Solution

Add to the global configuration:

plugin-load=validate_password.so
validate-password=FORCE_PLUS_PERMANENT
validate_password_length=14
validate_password_dictionary_file=<path to dictionary file>
validate_password_policy=STRONG

Optionally set one or more of these - ensuring complexity is not overly onerous

validate_password_mixed_case_count=1
validate_password_number_count=1
validate_password_special_char_count=1

And change passwords for users which have passwords which are identical to their username.

See Also

https://workbench.cisecurity.org/files/3859

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: MySQLDB

Control ID: 80df535c3d40f4908771d99bbe5334ab9d201a0448742c9f240784976a58e158