Profile Applicability:
• Level 1
Description:
Enabling password dictionary checks helps prevent users from selecting common or easily guessable passwords by comparing user passwords against a dictionary of known weak passwords. This enhances password strength and overall system security.
Rationale:
Using dictionary checks reduces the risk of successful password guessing or brute-force attacks by enforcing stronger password policies.
Impact:
Pros:
Increases password complexity and security.
Helps prevent use of weak or common passwords.
Cons:
May increase authentication time slightly.
Requires maintenance of an up-to-date dictionary list.
Default Value:
Password dictionary checks may not be enabled by default.
Pre-requisites:
Root or sudo privileges to configure password policies.
Remediation:
Test Plan:
Using Linux command line:
- Check PAM configuration files (e.g., /etc/pam.d/common-password or /etc/pam.d/system-auth) for dictionary checks:
grep -i pam_pwquality /etc/pam.d/common-password grep -i pam_cracklib /etc/pam.d/common-password
Verify presence of options like dictcheck=1 or usage of pam_pwquality.so or pam_cracklib.so.
Implementation Plan:
Using Linux command line:
1. Edit PAM password configuration (example for pam_pwquality):
vi /etc/pam.d/common-password
2. Ensure the following line includes dictionary check options:
password requisite pam_pwquality.so retry=3 dictcheck=1
3. Save the file.
Backout Plan:
Using Linux command line:
Revert changes to PAM configuration if necessary.
Test password changes to verify configuration behavior.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
PAM pwquality Module Documentation