7.2 Set Strong Password Creation Policies - MINDIFF = 3

Information

The variables in the /etc/default/passwd file indicate various strategies for creating
differences required between an old and a new password. As requiring users to select a
specific numbers of differences between the characters in the existing password and the
new one can strengthen the password by increasing the symbol-set space, to further
increase the difficulty of breaking any password by brute-force attacks, these values should
be set as appropriate to the needs of the user.

Administrators may wish to add site-specific dictionaries to the DICTIONLIST parameter.Warning- Sites often have differing opinions on the optimal value of the HISTORY
parameter (how many previous passwords to remember per user in order to prevent re-
use). The values specified here are in compliance with NSA/DISA requirements. If this is
too restrictive for your site, you may wish to set a HISTORY value of 4 and a MAXREPEATS
of 2. Consult your local security rules for guidance.

Solution

Perform the following to implement the recommended state-# cd /etc/default
# awk '/PASSLENGTH=/ { $1 = 'PASSLENGTH=14' };
/NAMECHECK=/ { $1 = 'NAMECHECK=YES' };
/HISTORY=/ { $1 = 'HISTORY=10' };
/MINDIFF=/ { $1 = 'MINDIFF=3' };
/MINUPPER=/ { $1 = 'MINUPPER=1' };
/MINLOWER=/ { $1 = 'MINLOWER=1' };
/MINSPECIAL=/ { $1 = 'MINSPECIAL=1' };
/MINDIGIT=/ { $1 = 'MINDIGIT=1' };
/MAXREPEATS=/ { $1 = 'MAXREPEATS=0' };
/WHITESPACE=/ { $1 = 'WHITESPACE=YES' };
/DICTIONDBDIR=/ { $1 = 'DICTIONDBDIR=/var/passwd' };
/DICTIONLIST=/ { $1 = 'DICTIONLIST=/usr/share/lib/dict/words' };
{ print }' passwd > passwd.CIS
# mv passwd.CIS passwd

See Also

https://workbench.cisecurity.org/files/616

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(b)

Plugin: Unix

Control ID: 28ceb09590ed0c0fc4cc756ee8c40accee4d4a35273972a9cb6788cfe6c0a599