Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The system must require passwords to contain no more than three consecutive repeating characters.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-50995 | OL6-00-000299 | SV-65201r4_rule | Low |
| Description |
|---|
| Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks. |
| STIG | Date |
|---|---|
| Oracle Linux 6 Security Technical Implementation Guide | 2019-03-20 |
Details
| Check Text ( C-53441r3_chk ) |
|---|
| To check the maximum value for consecutive repeating characters, run the following command: $ grep pam_cracklib /etc/pam.d/system-auth /etc/pam.d/password-auth Look for the value of the "maxrepeat" parameter. The DoD requirement is “3”. If "maxrepeat" is not found, is set to zero, or is set to a value greater than “3”, this is a finding. |
| Fix Text (F-55801r4_fix) |
|---|
| The pam_cracklib module's ”maxrepeat” parameter controls requirements for consecutive repeating characters. When set to a positive number, it will reject passwords that contain more than the number of consecutive characters. Edit /etc/pam.d/system-auth and /etc/pam.d/password-auth adding "maxrepeat=3" after pam_cracklib.so to prevent a run of (3 + 1) or more identical characters. password required pam_cracklib.so maxrepeat=3 |