5.3.1 Ensure password creation requirements are configured - 'ocredit'

Information

The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options. try_first_pass - retrieve the password from a previous stacked PAM module. If not available, then prompt the user for a password. retry=3 - Allow 3 tries before sending back a failure. The following options are set in the /etc/security/pwquality.conf file: minlen=14 - password must be 14 characters or more dcredit=-1 - provide at least one digit ucredit=-1 - provide at least one uppercase character ocredit=-1 - provide at least one special character lcredit=-1 - provide at least one lowercase character The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies. Strong passwords protect systems from being hacked through brute force methods.

Solution

Run the following command to install the pam_pwquality module:
apt-get install libpam-pwquality

Edit the /etc/pam.d/common-passwd file to include the appropriate options for pam_pwquality.so and to conform to site policy:
password requisite pam_pwquality.so try_first_pass retry=3

Edit /etc/security/pwquality.conf to add or update the following settings to conform to site policy:
minlen=14
dcredit=-1
ucredit=-1
ocredit=-1
lcredit=-1

See Also

https://workbench.cisecurity.org/files/1866

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(a), CSCv6|16.1

Plugin: Unix

Control ID: 304f1d22ade898d36ff56526ea8ba9143f79906bfa6d260a826a510e23fc6ec8