In cloud-init through 19.4, rand_user_password in cloudinit/config/cc_set_passwords.py has a small default pwlen value, which makes it easier for attackers to guess passwords.
The product does not require that users should have strong passwords.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Cloud-init | Canonical | * | 19.4 (including) |
| Red Hat Enterprise Linux 7 | RedHat | cloud-init-0:19.4-7.el7 | * |
| Red Hat Enterprise Linux 8 | RedHat | cloud-init-0:19.4-11.el8 | * |
| Cloud-init | Ubuntu | bionic | * |
| Cloud-init | Ubuntu | devel | * |
| Cloud-init | Ubuntu | eoan | * |
| Cloud-init | Ubuntu | esm-infra/bionic | * |
| Cloud-init | Ubuntu | esm-infra/focal | * |
| Cloud-init | Ubuntu | esm-infra/xenial | * |
| Cloud-init | Ubuntu | focal | * |
| Cloud-init | Ubuntu | groovy | * |
| Cloud-init | Ubuntu | hirsute | * |
| Cloud-init | Ubuntu | impish | * |
| Cloud-init | Ubuntu | jammy | * |
| Cloud-init | Ubuntu | trusty | * |
| Cloud-init | Ubuntu | upstream | * |
| Cloud-init | Ubuntu | xenial | * |
A product’s design should require adherance to an appropriate password policy. Specific password requirements depend strongly on contextual factors, but it is recommended to contain the following attributes:
Depending on the threat model, the password policy may include several additional attributes.
See NIST 800-63B [REF-1053] for further information on password requirements.