Set Password Quality Requirements, if using pam_cracklib

An XCCDF Group

Description

The pam_cracklib PAM module can be configured to meet requirements for a variety of policies.

For example, to configure pam_cracklib to require at least one uppercase character, lowercase character, digit, and other (special) character, locate the following line in /etc/pam.d/system-auth:

password requisite pam_cracklib.so try_first_pass retry=3

and then alter it to read:

password required pam_cracklib.so try_first_pass retry=3 maxrepeat=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4

If no such line exists, add one as the first line of the password section in /etc/pam.d/system-auth. The arguments can be modified to ensure compliance with your organization's security policy. Discussion of each parameter follows.

warning alert: Warning

Note that the password quality requirements are not enforced for the root account for some reason.

ID: xccdf_org.ssgproject.content_group_password_quality_pamcracklib
Child Items: 0
Updated: about 1 year ago