Details

A minimum password length is the fewest number of characters a password can contain to meet a system’s requirements.

Ensure that a minimum of a 15 character password is part of the password policy on the computer.

Where the confidentiality of encrypted information in FileVault is more of a concern requiring a longer password or passphrase may be sufficient rather than imposing additional complexity requirements that may be self-defeating.

Rationale:

Information systems that are not protected with strong password schemes including passwords of minimum length provide a greater opportunity for attackers to crack the password and gain access to the system.

Impact:

Short passwords can be easily attacked.

Solution

Run the following command to set the password length to greater than or equal to 15:

$ sudo pwpolicy -a -setaccountpolicies ‘minChars==15>’

example:

$ sudo pwpolicy -a firstuser -setglobalpolicy ‘minChars=15’

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3092

This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Unix.

References

• 800-53|IA-5(1)(a)

Source

• Tenable.com/audits