Title

The system must require passwords contain no more than three consecutive repeating characters. (Cat II impact)

Discussion

To enforce the use of complex passwords, the number of consecutive repeating characters is limited. Passwords with excessive repeated characters may be more vulnerable to password-guessing attacks.

Check Content

Check the system password maxrepeat setting. Procedure: Check the password maxrepeat option # grep pam_cracklib.so /etc/pam.d/common-password Confirm the maxrepeat option is set to 3 or less as in the example below: password required pam_cracklib.so maxrepeat=3 There may be other options on the line. If no such line is found, or the maxrepeat option is more than 3 this is a finding. A setting of zero disables this option. NOTE: This option was not available in SLES 11 until service pack 2(SP2).

Fix Text

Edit /etc/pam.d/common-password and set the maxrepeat option to a value of 3 or less on the pam_cracklib line.

Additional Identifiers

Rule ID: SV-44877r1_rule

Vulnerability ID: V-11975

Group Title: GEN000680

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.