Profile Applicability:
• Level 1
Description:
Password complexity requirements enforce the use of varied character types—such as uppercase letters, lowercase letters, numbers, and special characters—in user passwords. Proper configuration strengthens passwords against guessing and brute-force attacks.
Rationale:
Enforcing complexity reduces the likelihood of simple or easily guessable passwords, enhancing overall system security and compliance with security standards.
Impact:
Pros:
Increases password strength and resistance to attacks.
Supports compliance with organizational and regulatory policies.
Cons:
May increase user difficulty in remembering passwords.
Overly complex requirements may lead to insecure workarounds (e.g., writing down passwords).
Default Value:
Password complexity is often not enforced by default and requires explicit configuration.
Pre-requisites:
Root or sudo privileges to configure password complexity modules and policies.
Remediation:
Test Plan:
Using Linux command line:
- Review password complexity settings in PAM configuration files (e.g., /etc/pam.d/system-auth, /etc/pam.d/password-auth) for modules like pam_pwquality or pam_cracklib:
grep pam_pwquality /etc/pam.d/system-auth /etc/pam.d/password-auth
Check /etc/security/pwquality.conf or relevant configuration files for complexity parameters such as minclass, minlen, dcredit, ucredit, and ocredit.
Implementation Plan:
Using Linux command line:
- Configure password complexity by editing /etc/security/pwquality.conf and setting parameters, for example:
minlen = 12 minclass = 4 dcredit = -1 ucredit = -1 ocredit = -1 lcredit = -1
Ensure PAM modules like pam_pwquality are enabled in the relevant PAM configuration files.
Backout Plan:
Using Linux command line:
Adjust or remove complexity parameters if needed.
Test password change and creation processes for usability.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
pam_pwquality Manual