4.4.3.2.4 Ensure password same consecutive characters is configured

Information

The pwquality maxrepeat option sets the maximum number of allowed same consecutive characters in a new password.

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Solution

Create or modify a file ending inconf in the /etc/security/pwquality.conf.d/ directory or the file /etc/security/pwquality.conf and add or modify the following line to set maxrepeat to 3 or less and not 0 Ensure setting conforms to local site policy:

Example:

# sed -ri 's/^s*maxrepeats*=/# &/' /etc/security/pwquality.conf
# printf '
%s' "maxrepeat = 3" >> /etc/security/pwquality.conf.d/50-pwrepeat.conf

Run the following script to remove setting maxrepeat on the pam_pwquality.so module in the PAM files:

#!/usr/bin/env bash

{
for l_pam_file in system-auth password-auth; do
l_authselect_file="/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$l_pam_file"
sed -ri 's/(^s*passwords+(requisite|required|sufficient)s+pam_pwquality.so.*)(s+maxrepeats*=s*S+)(.*$)/14/' "$l_authselect_file"
done
authselect apply-changes
}

See Also

https://workbench.cisecurity.org/benchmarks/15289

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: b67563e6518afe39c5852730be4d96b907f5d8fe1b4277fe17686deda5cc242d