Home Linux Administration How To Force Users To Use Strong Passwords In Debian And Ubuntu

How To Force Users To Use Strong Passwords In Debian And Ubuntu

By sk
18.6K views

This brief tutorial explains how to force users to use strong passwords using Pluggable Authentication Modules (PAM) in Debian, Ubuntu and other DEB-based systems.

Introduction

A strong password must have at least 14 characters, including at least one special character, one numerical character, one uppercase and one lower case letter. More importantly, passwords shouldn't be easily predictable and shouldn't be based on dictionary words.

Some non-techie users, however, will not understand or don't care about the security. They will keep using the easily predictable passwords like pass123, welcome123, Welcome@1 etc., which can be easily broken in few attempts.

Also, some users won't change the passwords for ages. As a System administrator, it is your job to enforce a strong password policy in order to protect the systems from dictionary-based and brute-force attacks.

This guide has been officially tested in Ubuntu 22.04 LTS and its previous editions. Although, the instructions posted here are same for Debian, and other Debian and Ubuntu based distributions such as Linux Mint, Elementary OS, and Pop!_OS etc.

Force Users To Use Strong Passwords In Debian, Ubuntu, Linux Mint, Pop!_OS

The Pluggable Authentication Modules (PAM) is installed by default in DEB-based systems. However, you need to install an additional module called libpam-cracklib. To do so, run the following command from Terminal:

$ sudo apt install libpam-cracklib

In Debian-based systems, the password policies are defined in /etc/pam.d/common-password file. Before making any changes in it, just backup this file.

$ sudo cp /etc/pam.d/common-password /etc/pam.d/common-password.bak

Now, edit /etc/pam.d/common-password file:

$ sudo nano /etc/pam.d/common-password

Find the following line and edit or change it as shown below. If the following line doesn't exist, just add it.

password required pam_cracklib.so try_first_pass retry=3 minlen=12 lcredit=1 ucredit=1 dcredit=2 ocredit=1 difok=2 reject_username
Edit /etc/pam.d/common-password file
Edit /etc/pam.d/common-password file

Let us break down this line and see what each option will do.

  • try_first_pass retry=N - Maximum number of retries to change password. N indicates the number. The default for this parameter is 1.
  • minlen=N - The minimum acceptable size for the new password (plus one if credits are not disabled which is the default). In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (other, upper, lower and digit). The default value is 9.
  • lcredit=N - Define the maximum credit for containing lowercase letters in the password. Default value is 1.
  • ucredit=N - Define the maximum number for containing uppercase letters in the password. Default value is 1.
  • dcredit=N - Define the maximum credit for containing digits in the password. Default value is 1.
  • ocredit=N - Define the maximum credit for containing other characters in the password. Default value is 1.
  • difok=N - Define number of characters that must be different from the previous password.
  • reject_username - Restrict the users to use their name as password.

Hope you got the basic idea about the aforementioned parameters.

As defined in the above file, the users should now use the password with a password complexity score of 12. One 'credit' will be given to 1 lowercase letter, 1 credit for 1 uppercase letter, 1 credit for at least 2 digits, and 1 credit for 1 other character.

However, you can disable the credits by assigning negative values, and force the user to use combination of different characters with a minimum length.

Check the following example:

password required pam_cracklib.so minlen=8 lcredit=-1 ucredit=-1 dcredit=-2 ocredit=-1 difok=2 reject_username

As defined above, the users must use a password complexity score of 8 characters, including 1 lowercase letter, 1 uppercase letter, 2 digits, and 1 other character.

Please note that these restrictions will be applied for the normal users only, but not for root user. Root user is free to use any type of password.

Check And Verify The Password Complexity

Once you defined the password policy, check whether it's working or not.

Let us a assign simple password that doesn't meet the password policy and see what happens.

To change or assign a password to the currently logged-in user, run:

$ passwd

Sample Output:

Changing password for ostechnix.
Current password: 
New password: 
BAD PASSWORD: it does not contain enough DIFFERENT characters
New password: 
BAD PASSWORD: it is based on a dictionary word
New password: 
Retype new password: 
BAD PASSWORD: is too simple
New password: 
BAD PASSWORD: is too simple
New password: 
BAD PASSWORD: is too simple
passwd: Have exhausted maximum number of retries for service
passwd: password unchanged
Check Password Complexity
Check Password Complexity

As you see in the above output, the user can't set the password because the given password doesn't meet the requirements.

Now try to set a password that meets the actual password policy requirement (i.e. 12 characters including at least 1 lowercase, 1 upper case, 2 digits, 1 other character).

Set User Password
Set User Password

As you see in the above screenshot, a secure password has been set to the user "ostechnix".

That's all for now. We have successfully enforced the password policies using PAM. For more details, check man pages.

$ man pam_cracklib

Don't forget to check our detailed guide about implementing password policies in Linux.

Want to know how to generate a strong password? Check the following article.

You May Also Like

4 comments

Michael T November 18, 2019 - 10:02 am

Why are you talking about ‘maximum complexity’ when talking bout minlen. Don’t you mean ‘*minimum complexity?’

Reply
sk November 18, 2019 - 12:04 pm

Nice catch. Thanks for pointing out. Corrected it now.

Reply
Maarten October 27, 2023 - 8:51 pm

libpam-cracklib no longer exists in debian 12, but there is libpam-pwquality

Reply
sk October 28, 2023 - 10:55 am

Thanks for the update.

Reply

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. By using this site, we will assume that you're OK with it. Accept Read More