mediumaccess-controlverified ✓rollback-safe
Set maximum password complexity retries to 3 or fewer
pam-pwquality-retry · RHEL ≥ 8, UBUNTU ≥ 22 · 1 impl
Description
The retry option in /etc/security/pwquality.conf must be set to 3 or less, limiting the number of times a user can attempt to enter a new password that satisfies complexity requirements.
Rationale
Limiting password retry attempts reduces the window for observing password complexity feedback and forces users to choose a compliant password more carefully.
Check → Remediate
Checkconfig_value
- path:
- /etc/security/pwquality.conf
- key:
- retry
- expected:
- 3
- comparator:
- <=
Remediateconfig_set
- path:
- /etc/security/pwquality.conf
- key:
- retry
- value:
- 3
- separator:
- =
Framework references
STIG
V-258091 / RHEL-09-611010V-251716V-270705 / UBTU-24-300016V-260567 / UBTU-22-611045V-281204 / RHEL-10-600485
NIST 800-53
IA-5(1)
Live verification
rhel10:checkrhel8:checkrhel9:checkubuntu22:checkubuntu24:checkubuntu26:check
#pam#pwquality#password-complexity#authentication