Profile Applicability:
• Level 1
Description:
Configuring limits on the maximum number of sequential characters in passwords prevents users from choosing passwords with easily guessable sequences (e.g., “abcd”, “1234”), thereby strengthening password security.
Rationale:
Restricting sequential characters reduces the risk of weak passwords vulnerable to pattern-based attacks and improves overall authentication security.
Impact:
Pros:
Encourages stronger and less predictable passwords.
Mitigates risks from common sequential patterns.
Cons:
May increase user difficulty in creating passwords.
Default Value:
This setting is not always configured by default and requires explicit configuration.
Pre-requisites:
Root or sudo privileges to configure PAM modules such as pam_pwquality.
Remediation:
Test Plan:
Using Linux command line:
- Check /etc/security/pwquality.conf for maxsequence parameter which controls max allowed sequential characters:
grep maxsequence /etc/security/pwquality.conf
Verify maxsequence is set appropriately (e.g., 3 or fewer).
Implementation Plan:
Using Linux command line:
- Edit /etc/security/pwquality.conf to set maxsequence, for example:
maxsequence = 3
Save the file and ensure PAM is configured to use pam_pwquality.
Backout Plan:
Using Linux command line:
Remove or adjust the maxsequence parameter if needed.
Test password change functionality.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
pwquality.conf Manual