Skip to content

Set Password Minimum Length in login.defs

An XCCDF Rule

Description

To specify password length requirements for new accounts, edit the file /etc/login.defs and add or correct the following line:

PASS_MIN_LEN 


The DoD requirement is 15. The FISMA requirement is 12. The profile requirement is . If a program consults /etc/login.defs and also another PAM module (such as pam_pwquality) during a password change operation, then the most restrictive must be satisfied. See PAM section for more information about enforcing password quality requirements.

Rationale

Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result.

ID
xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs
Severity
Medium
References
Updated



Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-91168-5
  - CJIS-5.6.2.1

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q shadow; then

var_accounts_password_minlen_login_defs='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs" use="legacy"/>'

# Strip any search characters in the key arg so that the key can be replaced without