4.4.2.2.3 Ensure password length is configured

Information

minlen - Minimum acceptable size for the new password (plus one if credits are not disabled which is the default). Cannot be set to lower value than 6.

Strong passwords protect systems from being hacked through brute force methods.

Solution

Edit the file /etc/security/pwquality.conf and add or modify the following line to set password length of 14 or more characters. Ensure that password length conforms to local site policy:

minlen = 14

Run the following script to remove setting minlen on the pam_pwquality.so module in the PAM files:

#!/usr/bin/env bash

{
for l_pam_file in system-auth password-auth; do
sed -ri 's/(^s*passwords+(requisite|required|sufficient)s+pam_pwquality.so.*)(s+minlens*=s*[0-9]+)(.*$)/14/' /etc/pam.d/"$l_pam_file"
done
}

See Also

https://workbench.cisecurity.org/benchmarks/15965

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: 168b892ad9bd0bb03ebaba4d2c1f96cddd2a638d8783b49ab10d710faa032e09