Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
RHEL-06-000050 | RHEL-06-000050 | RHEL-06-000050_rule | Medium |
Description |
---|
Requiring a minimum password length makes password cracking attacks more difficult by ensuring a larger search space. However, any security benefit from an onerous requirement must be carefully weighed against usability problems, support costs, or counterproductive behavior that may result. |
STIG | Date |
---|---|
Red Hat Enterprise Linux 6 Security Technical Implementation Guide | 2013-02-05 |
Check Text ( C-RHEL-06-000050_chk ) |
---|
To check the minimum password length, run the command: $ grep PASS_MIN_LEN /etc/login.defs The DoD requirement is "14". If it is not set to the required value, this is a finding. |
Fix Text (F-RHEL-06-000050_fix) |
---|
To specify password length requirements for new accounts, edit the file "/etc/login.defs" and add or correct the following lines: PASS_MIN_LEN 14 The DoD requirement is "14". If a program consults "/etc/login.defs" and also another PAM module (such as "pam_cracklib") during a password change operation, then the most restrictive must be satisfied. |