How to force users to use strong passwords in Debian and Ubuntu distros? Linux

A strong password must have 14 characters which should include one special character, one number and one uppercase and one lowercase. Password shouldn’t be predictable and shouldn’t be based on dictionary words. Some administrators / non-techie users do not understand how important Debian and Ubuntu distros are strong passwords and security. These administrators / non-techie users predictable passwords like pass123, welcome123, P@ssword123, and these types of passwords are easy to crack.

This article forces users to use strong passwords in DEB based distributions like Debian, Ubuntu, Linux Mint using Pluggable Authentication Modules(PAM)

The Pluggable Authentication Modules (PAM) is by default is installed in DEB based systems. The next step is to install an additional module called libpam-cracklib.

Run the following command from Terminal

$ sudo apt-get install libpam-cracklib

The password policies are defined in /etc/pam.d/common-password file in DEB based systems. The next step is to backup this file before making changes.

$ sudo cp /etc/pam.d/common-password /etc/pam.d/common-password.bak

The next step is to edit the /etc/pam.d/common-password file. Open the file in an editor like nano or vi etc.

$ sudo nano /etc/pam.d/common-password

Find and change the following like below –

password required pam_cracklib.so try_first_pass retry=3 minlen=12 lcredit=1 ucredit=1 dcredit=2 ocredit=1 difok=2 reject_username

Pluggable Authentication Modules

Description of each option mentioned above –

  • retry=N – Maximum number of retries to change password. The default value is 1.
  • minlen=N – The minimum acceptable size for the new password (plus one if credits are not disabled which is the default). In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (other, upper, lower and digit). The default value is 9.
  • lcredit=N – Define the maximum credit for containing lowercase letters in the password. The default value is 1.
  • ucredit=N – Define the maximum number for containing uppercase letters in the password. The default value is 1.
  • dcredit=N – Define the maximum credit for containing digits in the password. The default value is 1.
  • ocredit=N – Define the maximum credit for containing other characters in the password. The default value is 1.
  • difok=N – Define the number of characters that must be different from the previous password.
  • reject_username – Restrict users to use their name as a password.

Based on the above information, users should use a password with a complexity score of 12. You can disable the credits by assigning negative values and force the user to use a combination of different characters with a minimum length.

The next step is to verify the password complexity –

$ passwd

password complexity

The above output shows that users cannot set the password as it does not meet the minimum requirements.

The next output shows that the new password is set as it is based on the defined policy and is secure, i.e. one lowercase, one uppercase, two digits and one other character.

set password

At Outsourced Services for Velan, our server support engineers can help you force users to use strong passwords on your servers. For details, please visit outsourced managed IT services

Credentials

Quick Connect With Us

captcha reload