This tutorial describes how to set password policies such as password length, password complexity, password expiration period etc., in DEB based systems like Debian, Ubuntu, and Linux Mint, and RPM based systems like Fedora, RHEL, and CentOS.
Introduction
Even though Linux is secure by design, there are still many chances for the security breach. One of them is weak passwords.
As a System administrator, you must set a strong password for the users and enforce a strong password policy. Because, so many system breaches are happened due to weak passwords.
In this guide, we will learn how to implement some important Linux password policies using Pluggable Authentication Method, shortly known as PAM, in order to strengthen your Linux system's security.
Before getting into the topic, I'd like to list a few important key elements to remember before setting up the password policies.
Password Guidelines And Best Practices
Make sure the password is long enough
In most environments, the recommended password length is 8 characters.
An eight-character password is recommended because it's long enough to provide adequate security and still short enough for users to easily remember. I strongly advice you not to go below this limit.
Password length has been found to be a primary factor in characterizing password strength. The longer the password, the longer it will take to crack.
Passwords that are too short prone to brute force attacks as well as to dictionary attacks using words and commonly chosen passwords.
In fact, a longer password, even consisting of simpler words or constructs, is much better than a short password with special characters.
Avoid easily guessable passwords
The another important point to remember while choosing a password is to avoid commonly used passwords.
More importantly, never ever use your real name, parents/spouse/kids name, school/college name, or your date of birth in your password.
You might have added some of your personal and most of your educational and professional details in social (E.g. Facebook) and professional networks (E.g. LinkedIn). An attacker might try to guess the password from these details. Hence, you should not include the aforementioned details in your passwords.
Avoid overly complex passwords
Some Linux admins put too much restrictions on users to choose a password. While this is best for the security, it also could be counterproductive.
The users will be frustrated of the strong password policies and choose worse passwords to meet the password policy.
For instance, a user will add complexity to his/her password by simply adding a number or special character like "1" or "!" to the end or capitalizing the first letter of their password.
These kind of passwords might take longer time to crack but the attackers know the users tend to use these patterns and they may try to guess the password based on these patterns.
Avoid shorter password expiration time
This is another commonly imposed security restriction. It puts unnecessary burden to users. Let us say you set password expiration time to 30 days. So the user had to set a new password every month and definitely users will not happy about this.
Instead of putting shorter expiration time, you can increase the password length.
Use multi-factor authentication
Try to use 2FA or MFA methods wherever possible. This is one of the best security practice that everyone should follow to secure their systems.
To put it all together, a good password must always contains at least 8 characters including a number, an uppercase letter, and a special character. If possible, please use multi-factor authentication.
Well, let us go ahead and learn how to set Linux password policies.
Set Password Policies In Linux
As I already said, we are going to implement the following 3 password policies:
- Password length,
- Password complexity,
- Password expiration time.
First, we will see how to set password length in DEB-based systems.
Set Password Length In Debian, Ubuntu And Its Derivatives
The Pluggable Authentication Modules (PAM) is installed by default in DEB-based systems.
Usually, the password and authentication-related configuration files are stored in /etc/pam.d/ directory in Debian-based systems. And the password policies are defined in /etc/pam.d/common-password file. Before making any changes in it, backup this file, just in case.
$ sudo cp /etc/pam.d/common-password /etc/pam.d/common-password.bak
To set minimum password length, edit /etc/pam.d/common-password file:
$ sudo nano /etc/pam.d/common-password
Find the following line:
password [success=2 default=ignore] pam_unix.so obscure sha512
And add an extra word: minlen=8 at the end. Here I set the minimum password length as 8.
password [success=2 default=ignore] pam_unix.so obscure sha512 minlen=8
Save and close the file. Now the users can't use less than 8 characters for their password.
Set password length in RPM based systems
In RHEL, CentOS 7.x systems, run the following command as root user to set password length.
# authconfig --passminlen=8 --update
To view the minimum password length, run:
# grep "^minlen" /etc/security/pwquality.conf
Sample output:
minlen = 8
In RHEL, CentOS 6.x systems, edit /etc/pam.d/system-auth file:
# nano /etc/pam.d/system-auth
Find the following line and add the following at the end of the line:
password requisite pam_cracklib.so try_first_pass retry=3 type= minlen=8
As per the above setting, the minimum password length is 8 characters.
Set password complexity in DEB based systems
This setting enforces how many classes, i.e upper-case, lower-case, and other characters, should be in a password.
First install password quality checking library using command:
$ sudo apt install libpam-pwquality
Then, edit /etc/pam.d/common-password file:
$ sudo nano /etc/pam.d/common-password
To set at least one upper-case letters in the password, add a word 'ucredit=-1' at the end of the following line.
password requisite pam_pwquality.so retry=3 ucredit=-1
Set at least one lower-case letters in the password as shown below.
password requisite pam_pwquality.so retry=3 dcredit=-1
Set at least other letters in the password as shown below.
password requisite pam_pwquality.so retry=3 ocredit=-1
As you see in the above examples, we have set at least (minimum) one upper-case, lower-case, and a special character in the password. You can set any number of maximum allowed upper-case, lower-case, and other letters in your password.
You can also set the minimum/maximum number of allowed classes in the password.
The following example shows the minimum number of required classes of characters for the new password:
password requisite pam_pwquality.so retry=3 minclass=2
Set password complexity in RPM based systems
In RHEL 7.x / CentOS 7.x :
To set at least one lower-case letter in the password, run:
# authconfig --enablereqlower --update
To view the settings, run:
# grep "^lcredit" /etc/security/pwquality.conf
Sample output:
lcredit = -1
Similarly, set at least one upper-case letter in the password using command:
# authconfig --enablerequpper --update
To view the settings:
# grep "^ucredit" /etc/security/pwquality.conf
Sample output:
ucredit = -1
To set at least one digit in the password, run:
# authconfig --enablereqdigit --update
To view the setting, run:
# grep "^dcredit" /etc/security/pwquality.conf
Sample output:
dcredit = -1
To set at least one other character in the password, run:
# authconfig --enablereqother --update
To view the setting, run:
# grep "^ocredit" /etc/security/pwquality.conf
Sample output:
ocredit = -1
In RHEL 6.x / CentOS 6.x systems, edit /etc/pam.d/system-auth file as root user:
# nano /etc/pam.d/system-auth
Find the following line and add the following at the end of the line:
password requisite pam_cracklib.so try_first_pass retry=3 type= minlen=8 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1
As per the above setting, the password must have at least 8 characters. In addition, the password should also have at least one upper-case letter, one lower-case letter, one digit, and one other characters.
Set password expiration period in DEB based systems
We are going to set the following policies.
- Maximum number of days a password may be used.
- Minimum number of days allowed between password changes.
- Number of days warning given before a password expires.
To set this policy, edit:
$ sudo nano /etc/login.defs
Set the values as per your requirement.
PASS_MAX_DAYS 100 PASS_MIN_DAYS 0 PASS_WARN_AGE 7
As you see in the above example, the user should change the password once in every 100 days and the warning message will appear 7 days before password expiration.
Be mindful that these settings will impact the newly created users.
To set maximum number of days between password change to existing users, you must run the following command:
$ sudo chage -M <days> <username>
To set minimum number of days between password change, run:
$ sudo chage -m <days> <username>
To set warning before password expires, run:
$ sudo chage -W <days> <username>
To display the password for the existing users, run:
$ sudo chage -l sk
Here, sk is my username.
Sample output:
Last password change : Feb 24, 2017 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 Number of days of warning before password expires : 7
As you see in the above output, the password never expires.
To change the password expiration period of an existing user,
$ sudo chage -E 24/06/2018 -m 5 -M 90 -I 10 -W 10 sk
The above command will set password of the user 'sk' to expire on 24/06/2018. Also the the minimum number days between password change is set 5 days and the maximum number of days between password changes is set to 90 days. The user account will be locked automatically after 10 days and It will display a warning message for 10 days before password expiration.
Set password expiration period in RPM based systems
This is same as DEB based systems.
Forbid previously used passwords in DEB based systems
You can limit the users to set a password which is already used in the past. To put this in layman terms, the users can't use the same password again.
To do so, edit /etc/pam.d/common-password file:
$ sudo nano /etc/pam.d/common-password
Find the following line and add the word 'remember=5' at the end:
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 remember=5The above policy will prevent the users to use the last 5 used passwords.
Forbid previously used passwords in RPM based systems
This is same for both RHEL 6.x and RHEL 7.x and it's clone systems like CentOS, Scientific Linux.
Edit /etc/pam.d/system-auth file as root user,
# vi /etc/pam.d/system-auth
Find the following line, and add remember=5 at the end.
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
Suggested Read:
- 4 Easy Ways To Generate A Strong Password In Linux
- How To Check The Password Complexity In Linux
- How To Force Users To Use Strong Passwords In Debian, Ubuntu
- Titan – A Command line Password Manager For Linux
- Buttercup – A Free, Secure And Cross-platform Password Manager
- KeeWeb – An Open Source, Cross Platform Password Manager
You know now what is password policies in Linux, and how to set different password policies in DEB and RPM based systems.
6 comments
Nice article. Great work!
Awesome information! I wish you guys would come out with your OWN Linux Administration Book….(one that covers both the Debian side and the Red Hat side!) It would be the Number One Sold Book in the Open Source World!…LoL! There’s nothing more annoying as a Linux Admin than to get ready to do some CLI work only to find out its the “other” Linux system (either you’re in an RHEL-world and the box you’re connected to is Debian based…..else you’re in a Debian-centric network and you’ve just connected to an RHEL box) it would make administration SO much easier if there was just ONE reference manual that you needed to consult……well here’s to hoping it actually happens….(or would it be against some GPL-based rules?……or maybe Red Hat would come after you?….)
helo, i have a question with “Set password length in RPM based systems”
authconfig, configuration file:/etc/security/pwquality.conf
it is not enforced to comply with the rules, that is to say, take passminlen=8, but we can still set password less than 8 charaters.
when we set such password, it will give us a hint, but we can still set such password.
troublesome …
The article really should be named “How To Set Password Policies In Linux using PAM,” since this only applies to linux systems that use PAM. Slackware, for example, does not.
Thanks for the heads up. I never used Slackware.
Use/Try this if none works:
#— Your Current password & TWO other passwords which you already used
password required pam_pwhistory.so retry=6
password sufficient pam_unix.so sha512 shadow try_first_pass obscure use_authtok remember=3
This make use of pam history module . Your old password will get stored in encypted form under -> etc/security/opasswd file