Skip to content

5.4.1 Ensure password creation requirements are configured

Audit#

Verify password creation requirements conform to organization policy.

Password length

Run the following command: 

# grep '^\s*minlen\s*' /etc/security/pwquality.conf

Verify the output matches: 

minlen = 14

Password complexity

Option 1

Run the following command: 

# grep '^\s*minclass\s*' /etc/security/pwquality.conf

Verify the output matches: 

minclass = 4

Option 2

Run the following command: 

# grep -E '^\s*[duol]credit\s*' /etc/security/pwquality.conf

Verify the output matches: 

dcredit = -1
ucredit = -1
lcredit = -1
ocredit = -1

Remediation#

The following setting is a recommend example policy. Alter these values to conform to your own organization's password policies.

Run the following command to install the pam_pwquality module: 

# apt install libpam-pwquality

Edit the file /etc/security/pwquality.conf and add or modify the following line for password length to conform to site policy: 

minlen = 14

Edit the file /etc/security/pwquality.conf and add or modify the following line for password complexity to conform to site policy:

Option 1 

minclass = 4

Option 2

dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1