{"description": "To specify password length requirements for new accounts, edit the file\n<tt>/etc/login.defs</tt> and add or correct the following line:\n<pre>PASS_MIN_LEN <sub idref=\"var_accounts_password_minlen_login_defs\" /></pre>\n<br /><br />\nThe profile requirement is\n<tt><sub idref=\"var_accounts_password_minlen_login_defs\" /></tt>.\nIf a program consults <tt>/etc/login.defs</tt> and also another PAM module\n(such as <tt>pam_pwquality</tt>) during a password change operation, then\nthe most restrictive must be satisfied. See PAM section for more\ninformation about enforcing password quality requirements.", "rationale": "Requiring a minimum password length makes password\ncracking attacks more difficult by ensuring a larger\nsearch space. However, any security benefit from an onerous requirement\nmust be carefully weighed against usability problems, support costs, or counterproductive\nbehavior that may result.", "severity": "medium", "references": {"cis-csc": ["1", "12", "15", "16", "5"], "cjis": ["5.6.2.1"], "cobit5": ["DSS05.04", "DSS05.05", "DSS05.07", "DSS05.10", "DSS06.03", "DSS06.10"], "cui": ["3.5.7"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.2", "4.3.3.7.4"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1"], "iso27001-2013": ["A.18.1.4", "A.7.1.1", "A.9.2.1", "A.9.2.2", "A.9.2.3", "A.9.2.4", "A.9.2.6", "A.9.3.1", "A.9.4.2", "A.9.4.3"], "nist": ["IA-5(f)", "IA-5(1)(a)", "CM-6(a)"], "nist-csf": ["PR.AC-1", "PR.AC-6", "PR.AC-7"], "srg": ["SRG-OS-000078-GPOS-00046"], "anssi": ["R31"], "ism": ["0421", "0422", "0974", "1173", "1401", "1504", "1505", "1546", "1557", "1558", "1559", "1560", "1561"]}, "control_references": {"anssi": ["R31"], "ism": ["0421", "0422", "0974", "1173", "1401", "1504", "1505", "1546", "1557", "1558", "1559", "1560", "1561"]}, "components": [], "identifiers": {}, "ocil_clause": "it is not set to the required value", "ocil": "To check the minimum password length, run the command:\n<pre>$ grep PASS_MIN_LEN /etc/login.defs</pre>\nThe profile requirement is\n<tt><sub idref=\"var_accounts_password_minlen_login_defs\" /></tt>.", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to enforce a minimum 15-character password length for new user accounts.\n\nAdd, or modify the following line in the \"/etc/login.defs\" file:\n\nPASS_MIN_LEN <sub idref=\"var_accounts_password_minlen_login_defs\" />", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 passwords for new users must have a minimum of 15 characters.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 passwords for new users must have a minimum of 15 characters.", "fixtext": "Configure Ubuntu 22.04 to enforce a minimum 15-character password length for new user accounts.\n\nAdd or modify the following line in the \"/etc/login.defs\" file:\n\nPASS_MIN_LEN 15", "checktext": "Verify that Ubuntu 22.04 enforces a minimum 15-character password length for new user accounts by running the following command:\n\n$ sudo grep -i  pass_min_len /etc/login.defs\n\nPASS_MIN_LEN 15\n\nIf the command does not return a \"PASS_MIN_LEN\" value of \"15\" or greater, does not return a line, or the line is commented out, this is a finding.", "vuldiscussion": "The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to increase exponentially the time and/or resources required to compromise the password.\n\nThe DOD minimum password requirement is 15 characters."}}, "platform": "package[shadow-utils]", "platforms": ["package[shadow-utils]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_shadow-utils"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Set Password Minimum Length in login.defs", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_password_minlen_login_defs/rule.yml", "template": null}