Password policies for networks are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). An adversary may attempt to access detailed information about the password policy used within an enterprise network. This would help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).Password policies can be set and discovered on Windows, Linux, and macOS systems. (Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies)
net accountsnet accounts /domain
chage -lcat /etc/pam.d/common-password
pwpolicy getaccountpolicies
-
Atomic Test #1 - Examine password complexity policy - Ubuntu
-
Atomic Test #2 - Examine password complexity policy - CentOS/RHEL 7.x
-
Atomic Test #3 - Examine password complexity policy - CentOS/RHEL 6.x
-
Atomic Test #4 - Examine password expiration policy - All Linux
Lists the password complexity policy to console on Ubuntu Linux.
Supported Platforms: Ubuntu
cat /etc/pam.d/common-password
Lists the password complexity policy to console on CentOS/RHEL 7.x Linux.
Supported Platforms: CentOS
cat /etc/security/pwquality.conf
Lists the password complexity policy to console on CentOS/RHEL 6.x Linux.
Supported Platforms: CentOS
cat /etc/pam.d/system-auth
cat /etc/security/pwquality.conf
Lists the password expiration policy to console on CentOS/RHEL/Ubuntu.
Supported Platforms: Linux
cat /etc/login.defs