5.4.1 Ensure password creation requirements are configured - system-auth ucredit


The pam_cracklib.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_cracklib.so options.

try_first_pass - retrieve the password from a previous stacked PAM module. If not available, then prompt the user for a password.

retry=3 - Allow 3 tries before sending back a failure.

minlen=14 - password must be 14 characters or more

dcredit=-1 - provide at least one digit

ucredit=-1 - provide at least one uppercase character

ocredit=-1 - provide at least one special character

lcredit=-1 - provide at least one lowercase character

The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies.


Strong passwords protect systems from being hacked through brute force methods.


Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files to include the appropriate options for pam_cracklib.so and to conform to site policy:

password requisite pam_cracklib.so try_first_pass retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1

Additional Information:

authconfig may overwrite any changes made as part of this recommendation. It is advisable to maintain a backup and audit this recommendation anytime authconfig is used.

Additional module options may be set, recommendation requirements only cover including try_first_pass and minlen set to 14 or more.

See Also


Item Details


References: 800-53|IA-5(1), CSCv6|5.7, CSCv6|16.12, CSCv7|4.4

Plugin: Unix

Control ID: 83a181566789e12f6d54816f345f7c40617f55149d2746c91ec9fd7cbf63b506