Skip to content

Set Password Strength Minimum Digit Characters

An XCCDF Rule

Description

The pam_cracklib module's dcredit parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each digit. Add dcredit=-1 after pam_cracklib.so to require use of a digit in passwords.

Rationale

Requiring digits makes password guessing attacks more difficult by ensuring a larger search space.

ID
xccdf_org.ssgproject.content_rule_cracklib_accounts_password_pam_dcredit
Severity
Medium
References
Updated



Remediation - Shell Script


declare -a VALUES=()
declare -a VALUE_NAMES=()
declare -a ARGS=()
declare -a NEW_ARGS=()


Remediation - Ansible

- name: XCCDF Value var_password_pam_dcredit # promote to variable
  set_fact:
    var_password_pam_dcredit: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_password_pam_dcredit" use="legacy"/>
  tags:
    - always