UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

AIX must use Loadable Password Algorithm (LPA) password hashing algorithm.


Overview

Finding ID Version Rule ID IA Controls Severity
V-91315 AIX7-00-001128 SV-101413r1_rule High
Description
The default legacy password hashing algorithm, crypt(), uses only the first 8 characters from the password string, meaning the user's password is truncated to eight characters. If the password is shorter than 8 characters, it is padded with zero bits on the right. The crypt() is a modified DES algorithm that is vulnerable to brute force password guessing attacks and also to cracking the DES-hashing algorithm by using techniques such as pre-computation. With the Loadable Password Algorithm (LPA) framework release, AIX implemented a set of LPAs using MD5, SHA2, and Blowfish algorithms. These IBM proprietary password algorithms support a password longer than 8 characters and Unicode characters in passwords.
STIG Date
IBM AIX 7.x Security Technical Implementation Guide 2019-04-29

Details

Check Text ( C-90469r4_chk )
From the command prompt, run the following command to check system wide password algorithm:

# lssec -f /etc/security/login.cfg -s usw -a pwd_algorithm
usw pwd_algorithm=ssha512

If the "pwd_algorithm" is not set to "ssha512", or "ssha256", this is a finding.
Fix Text (F-97513r1_fix)
From the command prompt, run the following command to set system wide password algorithm to "ssha512" so that it supports passwords longer than 8-character:
# chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha512

For each users who have hashed passwords in "/etc/security/passwd" file that does not start with "{ssha512}", run passwd commands to reset the users' passwords so that they have to change their passwords in the next login:
# passwd [user_name]