Strong passwords are a must. But if your servers and desktops don't require strong passwords, you can't enforce such a policy. Here's a step-by-step buide to enabling strong passwords on your Ubuntu machines with the help of PAM.
Chances are you are using Linux in your data center or somewhere on the company network. If you are, you'll want to make sure users create complicated passwords, to safeguard company data. How do you do that? Sounds complicated, right?
Enforcing complex passwords is actually pretty easy in Linux. It does require you to install a single piece of software and work with the command line, but chances are you're already comfortable doing this.
With that said, I'm going to show you how to enforce strong passwords on Ubuntu/Debian with the help of Pluggable Authentication Modules (PAM). I'll be demonstrating on Ubuntu 16.04. Thanks to this addition to your system you can ensure that user passwords:
- Are allowed X amount of failed login attempts before returning with error
- Meet a minimum length
- Must meet a minimum number of differentiations between password changes
- Contain at least X uppercase characters
- Contain at least X lowercase characters
- Contain X digits
- Contain X symbols
Although PAM is already installed, you will have to add an additional module. To do that, open up a terminal window and issue the following command:
sudo apt-get install libpam_cracklib
That's all there is to install.
The configuration file for this setup is /etc/pam.d/common-password. Before you make any changes, let's copy that file. Issue the command:
sudo cp /etc/pam.d/common-password /root/
With a working copy of the file tucked away, open the file in your editor of choice (I prefer nano) and look for the following line:
password requisite pam_cracklib.so retry=3 minlen=8 difok=3
We're going to set this up using the following options:
- minlen = establishes a measure of complexity related to the password length
- lcredit = sets the minimum number of required lowercase letters
- ucredit = sets the minimum number of required uppercase letters
- dcredit = sets the minimum number of required digits
- ocredit = sets the minimum number of required other characters
- difok = sets the number of characters that must be different from those in the previous password
Here's where the configuration gets a bit tricky. You might think that minlen is the minimum length a password must be. Wrong. The minlen is the minimum complexity score that must be reached before a password is considered successful. How this works is that some characters in a password count more than once toward a password complexity. To create this score, complexity is measured by way of a few steps:
- Every character in a passwords adds one point (regardless of type)
- Every lowercase letter adds one point (up to the value of lcredit)
- Every uppercase letter adds one point (up to the value of ucredit)
- Every digit adds one point (up to the value of dcredit)
- Every special character adds one point (up to the value of ocredit)
You can also set these values to a negative number. A negative number denotes the minimum value for a class (a class being lcredit, ucredit, dcredit, etc.), whereas a positive value is the maximum value for a class.
Let's take a look at this example:
password requisite pam_cracklib.so try_first_pass retry=3 minlength=16lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=4 reject_username
The above configuration would ensure passwords have a complexity score of 16 and include at least one character from each class. I also include the reject_username to prevent users from setting their username as a password.
Should a user attempt to change a password, and not meet the requirements, they will find out pretty quickly (Figure A).
A failed attempt to change a password.
You owe it to yourself and your company to ensure that user passwords meet a certain requirement. On your Linux servers, you'll want to take advantage of the system I've outlined. You'll also want to learn as much as possible about this PAM cracklib. To find out more, open up a terminal window and issue the command man pam_cracklib. Within that man page you can learn everything there is to know about configuring PAM to enforce complex passwords.