Verify that the root password meets your organization’s corporate password complexity requirements.

Validating the root password complexity is required as the root user bypasses the pam_cracklib module password complexity check that is applied to user accounts.

The account password must start with $6$, which indicates a sha512 hash. This is the standard hash for all hardened appliances.


  1. To verify the hash of the root password, log in as root and run the # more /etc/shadow command.

    The hash information is displayed.

    Figure 1. Password Hash Results
    Password Hash Results
  2. If the root password does not contain a sha512 hash, run the passwd command to change it.


All hardened appliances enable enforce_for_root for the pw_history module, found in the /etc/pam.d/common-password file. The system remembers the last five passwords by default. Old passwords are stored for each user in the /etc/securetty/passwd file.