7.5 Ensure Password Complexity Policies are in Place

Information

Password complexity includes password characteristics such as length, case, numerical, and character sets.

Rationale:

Complex passwords help mitigate dictionary, brute forcing, and other password attacks. This recommendation prevents users from choosing weak passwords which can easily be guessed.

Solution

Install component_validate_password component:

INSTALL COMPONENT 'file://component_validate_password';

Persist following configuration:

SET PERSIST validate_password.length=14;
SET PERSIST validate_password.check_user_name=ON;
SET PERSIST validate_password.dictionary_file=<path to dictionary file>;
SET PERSIST validate_password.policy=STRONG;

Optionally set one or more of these - ensuring complexity is not overly onerous

SET PERSIST validate_password.mixed_case_count=1;
SET PERSIST validate_password.number_count=1;
SET PERSIST validate_password.special_char_count=1;

And change passwords for users which have passwords which are identical to their username.

Default Value:

By default component_validate_password is not installed.

validate_password.length=8

validate_password.mixed_case_count=1

validate_password.number_count=1

validate_password.policy=MEDIUM

validate_password.special_char_count=1

See Also

https://workbench.cisecurity.org/benchmarks/15112

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: MySQLDB

Control ID: 1288c935cca6ae8fe71eda9816a0498f5951334c3854df1f7cdab2cb8428fcd8