3.1.15 /etc/security/login.cfg - pwd_algorithm

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Defines the loadable password algorithm used when storing user passwords.

A development in AIX 6.1 was the ability to use different password algorithms as defined in /etc/security/pwdalg.cfg. The traditional UNIX password algorithm is crypt, which is a one-way hash function supporting only 8 character passwords. The use of brute force password guessing attacks means that crypt no longer provides an appropriate level of security and so other encryption mechanisms are recommended.

The recommendation of this benchmark is to set the password algorithm to ssha256. This algorithm supports long passwords, up to 255 characters in length and allows passphrases including the use of the extended ASCII table and the space character. Any passwords already set using crypt will remain supported, but there can only one system password algorithm active at any one time.

Solution

In/etc/security/login.cfg, set the usw user stanza pwd_algorithm attribute to ssha256-

chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha256

Impact-Ensure that all running applications support SHA256 password encyption.

See Also

https://workbench.cisecurity.org/files/528