AUTH-9286 - Password aging
Proper protection against weak passwords and regular changes, limits the risk of cracking passwords or being obtained by unauthorized people.
How to solve
Passwords are a key component to authenticate users to Linux systems. Passwords need to be of a good quality, to prevent so-called brute-forcing attacks. In such case, easy passwords can be quickly guessed, resulting in a possible intrusion. The strength of passwords is determined by the length and variety of characters, including capitals, numbers, and special characters.
Besides the strength, it is good to use password aging. This means a password can only be used for a specific duration of time before the user has to change it again. This enforces them to change it on a regular basis, having hopefully a bigger variety in passwords used on the system and other services.
Password aging is not always needed on the Linux system itself. For example, when using two-factor authentication, central authentication with LDAP or Radius.
For Lynis Enterprise users we have additional tests regarding authentication and passwords. Consider upgrading if password strength and aging are important aspects for your environment.
Linux and Unix System Hardening
This information is provided as part of the Lynis community project. It is related to Lynis control AUTH-9286. All information should be considered as-is, without guarantees. Any advice or snippets should be tested before implementing in production environments.
Lynis is a technical security audit tool for systems running Linux, UNIX, *BSD, and macOS. It is open source software and free to use. The project has an active community, and can also be found on GitHub.
Need more advanced features, like vulnerability scanning, or reporting installed software packages? Lynis Enterprise will collect more data and present it with an easy to use web interface.
Gain additional benefits: automating security audits, reporting, and the implementation of related security measures.
- Centralized management
- Prioritized plans
- Integration (API)
- Improvement snippets for tools like Ansible, Chef, Cfengine and Puppet