Information
Require the use of passwords that are not easily guessed and that are difficult for password
generators to determine.
*Rationale*
ESXi uses the pam_passwdqc.so plug-in to set password strength and complexity. It is
important to use passwords that are not easily guessed and that are difficult for password
generators to determine.Note- ESXi imposes no restrictions on the root password. Password strength and
complexity rules only apply to non-root users.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Perform the following-1. Login to the ESXi shell as a user with administrator privileges.
2. Open /etc./pam.d/passwd
3. Locate the following line-password requisite /lib/security/$ISA/pam_passwdqc.so retry=N
min=N0,N1,N2,N3,N44. Set N is less than or equal to 5
5. Set N0 to disabled
6. Set N1 to disabled
7. Set N2 to disabled
8. Set N3 to disabled
9. Set N4 to 14 or greaterThis above requires all passwords to be 14 or more characters long and comprised of at
least one character from four distinct character sets. Additionally, a maximum of 5 login
attempts are permitted.
Default Value-The prescribed state is the default state.