4.4.1 Ensure password creation requirements are configured

Information

The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more.

The following options are set in the /etc/security/pwquality.conf file:

- Password Length:
- minlen = 14 - password must be 14 characters or more

- Password complexity:
-

minclass = 4 - The minimum number of required classes of characters for the new password (digits, uppercase, lowercase, others)

OR

-

dcredit = -1 - provide at least one digit

-

ucredit = -1 - provide at least one uppercase character

-

ocredit = -1 - provide at least one special character

-

lcredit = -1 - provide at least one lowercase character

Strong passwords protect systems from being hacked through brute force methods.

Solution

The following setting is a recommend example policy. Alter these values to conform to your own organization's password policies.

Run the following command to install the pam_pwquality module:

# apt install libpam-pwquality

Edit the file /etc/security/pwquality.conf and add or modify the following line for password length to conform to site policy:

minlen = 14

Edit the file /etc/security/pwquality.conf and add or modify the following line for password complexity to conform to site policy:

Option 1

minclass = 4

Option 2

dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1

Edit the /etc/pam.d/common-password file to include pam_pwquality.so and to conform to site policy:

password requisite pam_pwquality.so retry=3

See Also

https://workbench.cisecurity.org/benchmarks/13775

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: 2cf99d63cb07ec1c1386ce21c2f2b32231a5ddcdc22106300450a3fced0e1d14