5.4.7 Ensure minimum and maximum requirements are set for password changes - minclass

Information

The operating system must be configured so that when passwords are changed a minimum of 8 of the total number of characters must be changed and a minimum of 4 character classes must be changed. The operating system must also be configured so that when passwords are changed the number of repeating consecutive characters must not be more than 3 characters and the number of repeating characters of the same character class must not be more than 4 characters. The operating system must be configured so that passwords are a minimum of 15 characters in length.

Rationale:

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Impact:

Consult your documentation for the appropriate PAM file and module. Additional module options may be set, recommendation requirements only cover including try_first_pass and minlen set to 14 or more. Settings in /etc/security/pwquality.conf must use spaces around the = symbol.

Solution

Configure the operating system to require the change of at least 8 of the total number of characters when passwords are changed by setting the difok option and the minclass option and the maxrepeat option and the maxclassrepeat and the minlen option as defined below.
Add the following lines to /etc/security/pwquality.conf (or modify the line to have the required value):
Example: vim /etc/security/pwquality.conf

difok = 8
minclass = 4
maxrepeat = 3
maxclassrepeat = 4
minlen = 15

Additional Information:

Red Hat Enterprise Linux 7 Security Technical Implementation Guide

Version 3, Release: 4 Benchmark Date: 23 Jul 2021

Vul ID: V-204411

Rule ID: SV-204411r603261_rule

STIG ID: RHEL-07-010160

Severity: CAT II

Vul ID: V-204412

Rule ID: SV-204412r603261_rule

STIG ID: RHEL-07-010170

Severity: CAT II

Vul ID: V-204413

Rule ID: SV-204413r603261_rule

STIG ID: RHEL-07-010180

Severity: CAT II

Vul ID: V-204414

Rule ID: SV-204414r603261_rule

STIG ID: RHEL-07-010190

Severity: CAT II

Vul ID: V-204423

Rule ID: SV-204423r603261_rule

STIG ID: RHEL-07-010280

Severity: CAT II

See Also

https://workbench.cisecurity.org/files/3636

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(b), CCI|CCI-000195, CSCv7|4.4, Rule-ID|SV-204411r603261_rule, Rule-ID|SV-204412r603261_rule, Rule-ID|SV-204413r603261_rule, Rule-ID|SV-204414r603261_rule, Rule-ID|SV-204423r603261_rule, STIG-ID|RHEL-07-010170

Plugin: Unix

Control ID: 2cf21ab47588c9a76bc7e16205df1696ba44c718406e6811c1b9904ac69c2e4f