5.2.2 Set a minimum password length

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

A minimum password length is the fewest number of characters a password can contain to meet a system's requirements.

Ensure that a minimum of a 15 character password is part of the password policy on the computer.

Where the confidentiality of encrypted information in FileVault is more of a concern requiring a longer password or passphrase may be sufficient rather than imposing additional complexity requirements that may be self-defeating.

Rationale:

Information systems that are not protected with strong password schemes including passwords of minimum length provide a greater opportunity for attackers to crack the password and gain access to the system.

Solution

Perform the following to implement the prescribed state for all pwpolicy controls

1. Run the following command in Terminal:

pwpolicy -setaccountpolicies

Examples in pwpolicy man page

See Also

https://workbench.cisecurity.org/files/2105

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)

Plugin: Unix

Control ID: 030ea7b739da06cffebadd74cc547aa3a78ee28d338ded6d1f812336f1afa286