As much as Linux is considered a secure operating system, its security is just as good as the password strength of login users. Password policies exist to ensure that a strong password is set for users and as a Linux user, you should be mindful to enforce these policies to make it difficult for breaches to occur. You surely don’t want users configuring weak or guessable passwords which can be brute forced by hackers in a matter of seconds.
In this article, we touch base on how to enforce password policies in Linux, more specifically CentOS and Ubuntu. We will cover enforcing password policies such as password expiration period, password complexity and password length.
Enforce Password Policies in Ubuntu / Debian
There are 2 main ways that you can enforce password policies. Let’s take a look at each in detail.
1) Configure the maximum number of days that a password can be used
For start, you can configure a password policy that requires users to change their passwords after a certain number of days. Best practice dictates that a password should be changed periodically to keep malicious users off-kilter and make it harder for them to breach your system. This applies not just in Linux but in other systems such as Windows and macOS.
To achieve this In Debian/Ubuntu, you need to modify the /etc/login.defs file and be on the lookout for the PASS_MAX_DAYS attribute.
By default, this is set to 99,999 days as shown.
You can modify this to a reasonable duration, say, 30 days. Simply set the current value to 30 as shown and save the changes. Upon lapsing of the 30 days, you will be compelled to create another password.
2) Configure Password complexity with pam
Ensuring that password meets a certain degree of complexity is equally crucial and further thwarts any attempts by hackers to infiltrate your system using brute force.
As a general rule, a strong password should have a combination of Uppercase, lowercase, numeric and special characters and should be at least 12-15 characters long.
To enforce password complexity in Debian / Ubuntu systems, you need to install the libpam-pwquality package as shown:
$ sudo apt install libpam-pwquality
Once installed, head out to the /etc/pam.d/common-password file from where you are going to set the password policies. Be default, the file appears as shown:
Locate the line shown below
password requisite pam_pwquality.so retry=3
Add the following attributes to the line:
minlen=12 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=4 reject_username enforce_for_root
The entire line should appear as shown:
Let’s flesh out what these directives stand for:
- retry=3: This option will prompt the user 3 times before exiting and returning an error.
- minlen=12: This specifies that the password cannot be less than 12 characters.
- maxrepeat=3: This allows implies that only a maximum of 3 repeated characters can be included in the password.
- ucredit=-1: The option requires at least one uppercase character in the password.
- lcredit=-1: The option requires at least one lowercase character in the password.
- dcredit=-1: This implies that the password should have at last a numeric character.
- ocredit=-1: The option requires at least one special character included in the password.
- difok=3: This implies that only a maximum of