Title

The operating system must enforce password complexity. (Cat II impact)

Discussion

Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Satisfies: SRG-OS-000069-GPOS-00037, SRG-OS-000070-GPOS-00038, SRG-OS-000071-GPOS-00039, SRG-OS-000266-GPOS-00101

Check Content

Verify the operating system enforces password complexity by requiring that at least one upper-case character, one lower-case character, one numeric character, and one special character be used. If it does not, this is a finding. FreeBSD password quality checks are performed by pam_passwdqc. Verify it is installed and in-use: $ cat /etc/pam.d/passwd password requisite pam_passwdqc.so enforce=everyone min=disabled,disabled,disabled,disabled,15 similar=deny password required pam_unix.so no_warn try_first_pass nullok Ensure pam_passwdqc.so is not commented out and contains the settings "enforce=everyone" and "min=disabled,disabled,disabled,disabled,15" (the number in this may be larger). If it does not, this is a finding.

Fix Text

Configure the operating system to enforce password complexity.

Additional Identifiers

Rule ID:

Vulnerability ID: V-370

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.