UCF STIG Viewer Logo

The system must require passwords contain no more than three consecutive repeating characters.


Overview

Finding ID Version Rule ID IA Controls Severity
V-11975 GEN000680 SV-37294r1_rule IAIA-1 IAIA-2 Medium
Description
To enforce the use of complex passwords, the number of consecutive repeating characters is limited. Passwords with excessive repeated characters may be more vulnerable to password-guessing attacks.
STIG Date
Red Hat Enterprise Linux 5 Security Technical Implementation Guide 2017-03-01

Details

Check Text ( C-35986r1_chk )
Check the maxrepeat setting.

Procedure:
Check the password maxrepeat configuration
# grep pam_cracklib.so /etc/pam.d/system-auth

If the maxrepeat option is missing, this is a finding.
If the maxrepeat option is set to more than 3, this is a finding.
Fix Text (F-31243r1_fix)
Edit "/etc/pam.d/system-auth" to include the line:

password required pam_cracklib.so maxrepeat=3

prior to the "password include system-auth-ac" line.