9.2.1 Set Password Creation Requirement Parameters Using pam_cracklib - lcredit=-1

Information

The pam_cracklib module checks the strength of passwords. It performs checks such as
making sure a password is not a dictionary word, it is a certain length, contains a mix of
characters (e.g. alphabet, numeric, other) and more. The following are definitions of the
pam_cracklib.so options.

retry=3 - Allow 3 tries before sending back a failure.
minlen=14 - password must be 14 characters or more
dcredit=-1 - provide at least one digit
ucredit=-1 - provide at least one uppercase character
ocredit=-1 - provide at least one special character

lcredit=-1 - provide at least one lowercase characterThe setting shown above is one possible policy.
Alter these values to conform to your own organization's password policies.

*Rationale*

Strong passwords protect systems from being hacked through brute force methods.

Solution

Set the pam_cracklib.so parameters as follows in /etc/pam.d/common-password-password required pam_cracklib.so retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1
lcredit=-1

See Also

https://workbench.cisecurity.org/files/91

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(a)

Plugin: Unix

Control ID: 71f4f777f626d1e3256456eeacb2aad5b954e5fa6722efa0ac51983ed24655c8