9.2.1 Set Password Creation Requirement Parameters Using pam_cracklib - dcredit=-1


The pam_cracklib module checks the strength of passwords. It performs checks such as
making sure a password is not a dictionary word, it is a certain length, contains a mix of
characters (e.g. alphabet, numeric, other) and more. The following are definitions of the
pam_cracklib.so options.

retry=3 - Allow 3 tries before sending back a failure.
minlen=14 - password must be 14 characters or more
dcredit=-1 - provide at least one digit
ucredit=-1 - provide at least one uppercase character
ocredit=-1 - provide at least one special character

lcredit=-1 - provide at least one lowercase characterThe setting shown above is one possible policy.
Alter these values to conform to your own organization's password policies.


Strong passwords protect systems from being hacked through brute force methods.


Set the pam_cracklib.so parameters as follows in /etc/pam.d/common-password-password required pam_cracklib.so retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1

See Also


Item Details


References: 800-53|IA-5(1)(a)

Plugin: Unix

Control ID: 71f4f777f626d1e3256456eeacb2aad5b954e5fa6722efa0ac51983ed24655c8