Ensure PAM Enforces Password Requirements - Minimum Special Characters
An XCCDF Rule
Description
The pam_pwquality module's ocredit=
parameter controls requirements for
usage of special (or "other") characters in a password. When set to a negative number,
any password will be required to contain that many special characters.
When set to a positive number, pam_pwquality will grant +1
additional length credit for each special character. Modify the ocredit
setting
in /etc/security/pwquality.conf
to equal
Rationale
Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
Password complexity is one factor of several that determines how long it takes
to crack a password. The more complex the password, the greater the number of
possible combinations that need to be tested before the password is compromised.
Requiring a minimum number of special characters makes password guessing attacks
more difficult by ensuring a larger search space.
- ID
- xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit
- Severity
- Medium
- References
- Updated