Detections
Analytics

5.3.2.2.5 Ensure password same consecutive characters is configured

Information

The pwquality maxrepeat option sets the maximum number of allowed same consecutive characters in a new password.

More information about the pam_pwquality.so module configuration files, their location, and load preference is available in the section overview.

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Solution

Create or modify a file ending in .conf in the /etc/security/pwquality.conf.d/ directory and add or modify the following line to set maxrepeat to 3 or less and not 0 . Ensure setting conforms to local site policy:

maxrepeat = 3

Example:

#!/usr/bin/env bash

{
 sed -ri 's/^\s*maxrepeat\s*=/# &/' /etc/security/pwquality.conf 2>/dev/null
 [ ! -d /etc/security/pwquality.conf.d/ ] && mkdir /etc/security/pwquality.conf.d/
 printf '\n%s' "maxrepeat = 3" > /etc/security/pwquality.conf.d/50-pwrepeat.conf
}

See Also

https://workbench.cisecurity.org/benchmarks/26236

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5, 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: 185db90457482af6d4b88eddd15ac330c70d1863fba09754f955b179b512e652