Secure password length (must be at least 14 characters) and password complexity have not been enforced.
Description
Passwords that contain less than 14 characters and uses only alphanumeric characters are weak and, therefore, easy to crack. The pam_cracklib.so shared library in Pluggable Authentication Module (PAM) specifies the strength of passwords in Linux systems. Fixing this misconfiguration makes alterations to PAM to ensure that the password length is set to 14 characters, password is not a dictionary word, and contains a mix of characters (e.g. alphabet, numeric, upper case, lower case and other special characters). This makes it difficult for a brute force attack to crack the password successfully.
Severity
important
Category
Linux - Password Policies
Resolution
Follow the below steps to resolve the misconfiguration.
If you're using debian based distro, open the file /etc/pam.d/common-password or
else if redhat based distro open the file /etc/pam.d/system-auth add the following line,
"password required pam_cracklib.so try_first_pass retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1"""
Potential issues that may arise after applying the resolution
Altering the existing security setting may create the following impact in your network operations.
Does remediation require reboot?
No
Vulnerability Manager Plus tracks security configurations and remediate misconfigurations in your network systems from a centralized console. View a list of all the security misconfigurations detected by Vulnerability Manager Plus.