AlmaLinux OS 9 passwords must be created with a minimum of 15 characters.

STIG ID: ALMA-09-036540  |  SRG: SRG-OS-000078-GPOS-00046 |  Severity: medium |  CCI: CCI-004066 |  Vulnerability Id: V-269392

Vulnerability Discussion

The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.

The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.

Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.

AlmaLinux OS 9 uses the PAM pwquality module as a mechanism to enforce password complexity. Configurations are set in the "/etc/security/pwquality.conf" file or further *.conf files within the "/etc/security/pwquality.conf.d/" directory.

The "minlen" parameter acts as a score of complexity based on the credit components of the pwquality module. By setting the credit to a negative value, not only will those components be required, but they will not count toward the total score of minlen. This will result in minlen requiring a 15-character minimum.

Check

Verify that AlmaLinux OS 9 enforces a minimum 15-character password length with the following command:

$ grep -r minlen /etc/security/pwquality.conf*

/etc/security/pwquality.conf.d/stig.conf:minlen = 15

If the value of "minlen" is less than 15, is not set, is commented out, or if conflicting results are returned, this is a finding.

Fix

Configure AlmaLinux OS 9 to require a minimum 15-character password length by setting the "minlen" option.

Add or update the following line in the "/etc/security/pwquality.conf" file or a configuration file in the "/etc/security/pwquality.conf.d/" directory:

minlen = 15

Remove any configurations that conflict with the above value.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.