Title

The operating system must enforce a minimum 15-character password length. (Cat II impact)

Discussion

The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password. Satisfies: SRG-OS-000078-GPOS-00046

Check Content

Verify the operating system enforces a minimum 15-character password length. If it does not, this is a finding. $ cat /etc/login.conf Ensure "minpasswordlen" is set under "default" and any other not commented-out section. If it is not set or is less than 15, this is a finding. FreeBSD password quality checks are performed by pam_passwdqc. Verify it is installed and in-use: $ cat /etc/pam.d/passwd password requisite pam_passwdqc.so enforce=everyone min=disabled,disabled,disabled,disabled,15 similar=deny password required pam_unix.so no_warn try_first_pass nullok If pam_passwdqc.so is not commented out, it must contain the settings "enforce=everyone" and "min=disabled,disabled,disabled,disabled,15" (the number in this may be larger). If a number less than 15 appears, this is a finding. If this line is commented out and "minpasswordlength" is correct, this is not a finding.

Fix Text

Configure the operating system to enforce a minimum 15-character password length.

Additional Identifiers

Rule ID:

Vulnerability ID: V-460

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.