7.2 Set Strong Password Creation Policies - HISTORY = 10

Information

The variables in the /etc/default/passwd file indicate various strategies for creating differences required between an old and a new password. As requiring users to select a specific numbers of differences between the characters in the existing password and the new one can strengthen the password by increasing the symbol-set space, to further increase the difficulty of breaking any password by brute-force attacks, these values should be set as appropriate to the needs of the user.

Administrators may wish to add site-specific dictionaries to the DICTIONLIST parameter.
Warning: Sites often have differing opinions on the optimal value of the HISTORY parameter (how many previous passwords to remember per user in order to prevent re- use). The values specified here are in compliance with NSA/DISA requirements. If this is too restrictive for your site, you may wish to set a HISTORY value of 4 and a MAXREPEATS of 2. Consult your local security rules for guidance.

Solution

Perform the following to implement the recommended state:
# cd /etc/default
# awk '/PASSLENGTH=/ { $1 = "PASSLENGTH=8" }; /NAMECHECK=/ { $1 = "NAMECHECK=YES" }; /HISTORY=/ { $1 = "HISTORY=10" }; /MINDIFF=/ { $1 = "MINDIFF=3" }; /MINALPHA=/ { $1 = "MINALPHA=2" }; /MINUPPER=/ { $1 = "MINUPPER=1" }; /MINLOWER=/ { $1 = "MINLOWER=1" }; /MINNONALPHA=/ { $1 = "MINNONALPHA=1" }; /MAXREPEATS=/ { $1 = "MAXREPEATS=0" }; /WHITESPACE=/ { $1 = "WHITESPACE=YES" }; /DICTIONDBDIR=/ { $1 = "DICTIONDBDIR=/var/passwd" }; /DICTIONLIST=/ { $1 = "DICTIONLIST=/usr/share/lib/dict/words" }; { print }' passwd > passwd.CIS
# mv passwd.CIS passwd

See Also

https://workbench.cisecurity.org/files/611

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(e)

Plugin: Unix

Control ID: ed6f54d41a998f1fbd2b862286222e4871b30fd31c866e043c7dbeeaa231b277