7.6 Ensure Password Complexity Policies are in Place - validate_password_dictionary_file

Information

Password complexity includes password characteristics such as length, case, numerical, and character sets.

Rationale:

Complex passwords help mitigate dictionary, brute forcing, and other password attacks. This recommendation prevents users from choosing weak passwords which can easily be guessed.

Impact:

Remediation for this recommendation requires a server restart.

Solution

Add to the global configuration:

plugin-load=validate_password.so
validate-password=FORCE_PLUS_PERMANENT
validate_password_length=14
validate_password_check_user_name=ON
validate_password_dictionary_file=<path to dictionary file>
validate_password_policy=STRONG

Optionally set one or more of these - ensuring complexity is not overly onerous

validate_password_mixed_case_count=1
validate_password_number_count=1
validate_password_special_char_count=1

And change passwords for users which have passwords which are identical to their username.

Default Value:

Default component_validate_password is not installed.

validate_password_length=8

validate_password_mixed_case_count=1

validate_password_number_count=1

validate_password_policy=MEDIUM

validate_password_special_char_count=1

See Also

https://workbench.cisecurity.org/files/3855

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: MySQLDB

Control ID: f25f5104fbc669ee734f4faf86ca5817d79b05d50767f5349945f4f2fa8f2c00