5.2.2 Ensure Password Minimum Length Is Configured

Information

A minimum password length is the fewest number of characters a password can contain to meet a system's requirements.

Ensure that a minimum of a 15-character password is part of the password policy on the computer.

Where the confidentiality of encrypted information in FileVault is more of a concern, requiring a longer password or passphrase may be sufficient rather than imposing additional complexity requirements that may be self-defeating.

Information systems that are not protected with strong password schemes including passwords of minimum length provide a greater opportunity for attackers to crack the password and gain access to the system.

Solution

Run the following command to set the password length to greater than or equal to 15:

% /usr/bin/sudo /usr/bin/pwpolicy -n /Local/Default -setglobalpolicy "minChars=<value>=15>"

Impact:

Short passwords can be easily attacked.

See Also

https://workbench.cisecurity.org/benchmarks/17466

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: ccc6e006c0ab230054423f3836ec3b5aeba44fe9626576e2f323aad8e3783084