← Rules Catalog
mediumaccess-controlverified rollback-safe

Set maximum password complexity retries to 3 or fewer

pam-pwquality-retry · RHEL ≥ 8, UBUNTU ≥ 22 · 1 impl

Description

The retry option in /etc/security/pwquality.conf must be set to 3 or less, limiting the number of times a user can attempt to enter a new password that satisfies complexity requirements.

Rationale

Limiting password retry attempts reduces the window for observing password complexity feedback and forces users to choose a compliant password more carefully.

Check → Remediate

Checkconfig_value
path:
/etc/security/pwquality.conf
key:
retry
expected:
3
comparator:
<=
Remediateconfig_set
path:
/etc/security/pwquality.conf
key:
retry
value:
3
separator:
=

Framework references

STIG

V-258091 / RHEL-09-611010V-251716V-270705 / UBTU-24-300016V-260567 / UBTU-22-611045V-281204 / RHEL-10-600485

NIST 800-53

IA-5(1)

Live verification

rhel10:checkrhel8:checkrhel9:checkubuntu22:checkubuntu24:checkubuntu26:check
#pam#pwquality#password-complexity#authentication