Title

The system must require passwords contain a minimum of 15 characters. (Cat II impact)

Discussion

The use of longer passwords reduces the ability of attackers to successfully obtain valid passwords using guessing or exhaustive search techniques by increasing the password search space.

Check Content

Check the system password length setting. Procedure: Check the password minlen option # grep pam_cracklib.so /etc/pam.d/ common-{auth,account,password,session} Confirm the minlen option is set to at least 15 as in the example below: password required pam_cracklib.so minlen=15 There may be other options on the line. If no such line is found, or the minlen is less than 15 this is a finding.

Fix Text

Edit /etc/pam.d/common-password and add or edit a pam_cracklib.so entry with a minlen parameter set equal to or greater than 15. NOTE: /etc/pam.d/common-password is normally a symbolic link that points to common-password-pc or common-password-local, a file to be ‘included’ by other pam configuration files.

Additional Identifiers

Rule ID: SV-46194r2_rule

Vulnerability ID: V-11947

Group Title: GEN000580

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.