4.2 Ensure passwords are required to be complex

Information

ESXi uses the pam_passwdqc.so plug-in to set password strength and complexity. You can change the required length and character class requirement or allow pass phrases using the Security.PasswordQualityControl advanced option. The settings should enforce the organization's password policies.

The character classes are: digits, lower-case letters, upper-case letters, and other characters. There is also a special class for non-ASCII characters, which could not be classified, but are assumed to be non-digits.

The Security.PasswordQualityControl advanced option follows the following format:

retry=N min=N0,N1,N2,N3,N4

retry=N The number of times the module will ask for a new password if the user fails to provide a sufficiently strong password and enter it twice the first time.

min=N0,N1,N2,N3,N4 The minimum allowed password lengths for different kinds of passwords/passphrases. The keyword disabled can be used to disallow passwords of a given kind regardless of their length. Each subsequent number is required to be no larger than the preceding one.

N0 Passwords consisting of characters from one(1) character class only

N1 Passwords consisting of characters from two(2) character classes that do not meet the requirements for a passphrase.

N2 Used for passphrases

N3 Passwords consisting of characters from three(3) character classes that do not meet the requirements for a passphrase.

N4 Passwords consisting of characters from four(4) character classes that do not meet the requirements for a passphrase.

Note: An uppercase character that begins a password does not count toward the number of character classes used, and neither does a number that ends a password.

Note: ESXi imposes no restrictions on the root password. Password strength and complexity rules only apply to non-root users.

Rationale:

All passwords for ESXi hosts should be hard to guess to reduce the risk of unauthorized access.

Solution

To set the password complexity requirements, perform the following:

Get-VmHost | Get-AdvancedSetting -Name Security.PasswordQualityControl | Set-AdvancedSetting -Value 'retry=N min=N0,N1,N2,N3,N4'

Confirm N0 is set to disabled.

Confirm N1 is set to disabled.

Confirm N2 is set to disabled.

Confirm N3 is set to disabled.

Confirm N4 is set to 14 or greater.

The above requires all passwords to be 14 or more characters long and comprised of at least one character from four distinct character sets.

See Also

https://workbench.cisecurity.org/benchmarks/8020

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: VMware

Control ID: bdc933f3fe5bbee930f9cdef1a85fdb6f440758f7eb4f0f94e7cf722db1534d5