5.3.1 Ensure password creation requirements are configured - retry=3

Information

The pam_cracklib.so module checks the strength of passwords. It performs checks such as
making sure a password is not a dictionary word, it is a certain length, contains a mix of
characters (e.g. alphabet, numeric, other) and more. The following are definitions of the
pam_cracklib.so options.

. try_first_pass - retrieve the password from a previous stacked PAM module. If
not available, then prompt the user for a password.
. retry=3 - Allow 3 tries before sending back a failure.
. minlen=14 - password must be 14 characters or more
. dcredit=-1 - provide at least one digit
. ucredit=-1 - provide at least one uppercase character
. ocredit=-1 - provide at least one special character
. lcredit=-1 - provide at least one lowercase character


The pam_pwquality.so module functions similarly but the minlen , dcredit , ucredit ,
ocredit , and lcredit parameters are stored in the /etc/security/pwquality.conf file.

The settings shown above are one possible policy. Alter these values to conform to your
own organization's password policies.

Rationale:

Strong passwords protect systems from being hacked through brute force methods.

Solution

Set password creation requirements to conform to site policy. Many distributions provide
tools for updating PAM configuration, consult your documentation for details. If no tooling
is provided edit the appropriate /etc/pam.d/ configuration file and add or modify the
pam_cracklib.so or pam_pwquality.so lines to include the required options:

password required pam_cracklib.so try_first_pass retry=3 minlen=14 dcredit=-1
ucredit=-1 ocredit=-1 lcredit=-1
password requisite pam_pwquality.so try_first_pass retry=3

If pam_pwquality.so is in use also configure settings in /etc/security/pwquality.conf :

minlen = 14
dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1

Notes:

Consult your documentation for the appropriate PAM file and module.

Additional module options may be set, recommendation requirements only cover including
try_first_pass and minlen set to 14 or more.

Settings in /etc/security/pwquality.conf must use spaces around the = symbol.

See Also

https://workbench.cisecurity.org/files/2420

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv6|5.7, CSCv6|16.12, CSCv7|4.4

Plugin: Unix

Control ID: 23afe7dba454266a558ffdc534137bdd78edf754fc81a08bfb5e70c703d6bc15