Detections
Analytics

5.3.2.2.4 Ensure password complexity is configured

Information

Password complexity can be set through:

 - minclass - The minimum number of classes of characters required in a new password. (digits, uppercase, lowercase, others). e.g. minclass = 4 requires digits, uppercase, lower case, and special characters.
 - dcredit - The maximum credit for having digits in the new password. If less than 0 it is the minimum number of digits in the new password. e.g. dcredit = -1 requires at least one digit
 - ucredit - The maximum credit for having uppercase characters in the new password. If less than 0 it is the minimum number of uppercase characters in the new password. e.g. ucredit = -1 requires at least one uppercase character
 - ocredit - The maximum credit for having other characters in the new password. If less than 0 it is the minimum number of other characters in the new password. e.g. ocredit = -1 requires at least one special character
 - lcredit - The maximum credit for having lowercase characters in the new password. If less than 0 it is the minimum number of lowercase characters in the new password. e.g. lcredit = -1 requires at least one lowercase character

More information about the pam_pwquality.so module configuration files, their location, and load preference is available in the section overview.

Strong passwords protect systems from being hacked through brute force methods.

Solution

Note: CIS password complexity requirements may differ from other frameworks or policies, adherence to site-specific policy is imperative.

Create or modify a file ending in .conf in the /etc/security/pwquality.conf.d/ directory and add or modify the following line to set

 - minclass = 4

--AND/OR--

 - dcredit = -_N_
 - ucredit = -_N_
 - ocredit = -_N_
 - lcredit = -_N_

Example 1 - Set minclass = 4 :

#!/usr/bin/env bash

{
 sed -ri 's/^\s*minclass\s*=/# &/' /etc/security/pwquality.conf 2>/dev/null
 sed -ri 's/^\s*[dulo]credit\s*=/# &/' /etc/security/pwquality.conf 2>/dev/null
 [ ! -d /etc/security/pwquality.conf.d/ ] && mkdir /etc/security/pwquality.conf.d/
 printf '\n%s' "minclass = 4" > /etc/security/pwquality.conf.d/50-pwcomplexity.conf
}

Example 2 - Set dcredit = -1, ucredit = -1, and lcredit = -1 :

#!/usr/bin/env bash

{
 sed -ri 's/^\s*minclass\s*=/# &/' /etc/security/pwquality.conf 2>/dev/null
 sed -ri 's/^\s*[dulo]credit\s*=/# &/' /etc/security/pwquality.conf 2>/dev/null
 [ ! -d /etc/security/pwquality.conf.d/ ] && mkdir /etc/security/pwquality.conf.d/
 printf '%s\n' "dcredit = -1" "ucredit = -1" "lcredit = -1" > /etc/security/pwquality.conf.d/50-pwcomplexity.conf
}

See Also

https://workbench.cisecurity.org/benchmarks/26236

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5, 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: 752af5454f69e8019ba203113599d84ea6c3d8f1612819abf63f648d2915e4ca