Open Source

How to force users to create secure passwords on Linux

Strong passwords are a must. But if your servers and desktops don't require strong passwords, you can't enforce such a policy. Here's a step-by-step buide to enabling strong passwords on your Ubuntu machines with the help of PAM.

pwordhero.jpg
Image: Jack Wallen

Chances are you are using Linux in your data center or somewhere on the company network. If you are, you'll want to make sure users create complicated passwords, to safeguard company data. How do you do that? Sounds complicated, right?

Wrong.

Enforcing complex passwords is actually pretty easy in Linux. It does require you to install a single piece of software and work with the command line, but chances are you're already comfortable doing this.

With that said, I'm going to show you how to enforce strong passwords on Ubuntu/Debian with the help of Pluggable Authentication Modules (PAM). I'll be demonstrating on Ubuntu 16.04. Thanks to this addition to your system you can ensure that user passwords:

  • Are allowed X amount of failed login attempts before returning with error
  • Meet a minimum length
  • Must meet a minimum number of differentiations between password changes
  • Contain at least X uppercase characters
  • Contain at least X lowercase characters
  • Contain X digits
  • Contain X symbols

Installation

Although PAM is already installed, you will have to add an additional module. To do that, open up a terminal window and issue the following command:

sudo apt-get install libpam_cracklib

That's all there is to install.

Configuring libpam_cracklib

The configuration file for this setup is /etc/pam.d/common-password. Before you make any changes, let's copy that file. Issue the command:

sudo cp /etc/pam.d/common-password /root/

With a working copy of the file tucked away, open the file in your editor of choice (I prefer nano) and look for the following line:

password requisite pam_cracklib.so retry=3 minlen=8 difok=3

We're going to set this up using the following options:

  • minlen = establishes a measure of complexity related to the password length
  • lcredit = sets the minimum number of required lowercase letters
  • ucredit = sets the minimum number of required uppercase letters
  • dcredit = sets the minimum number of required digits
  • ocredit = sets the minimum number of required other characters
  • difok = sets the number of characters that must be different from those in the previous password

Here's where the configuration gets a bit tricky. You might think that minlen is the minimum length a password must be. Wrong. The minlen is the minimum complexity score that must be reached before a password is considered successful. How this works is that some characters in a password count more than once toward a password complexity. To create this score, complexity is measured by way of a few steps:

  • Every character in a passwords adds one point (regardless of type)
  • Every lowercase letter adds one point (up to the value of lcredit)
  • Every uppercase letter adds one point (up to the value of ucredit)
  • Every digit adds one point (up to the value of dcredit)
  • Every special character adds one point (up to the value of ocredit)

You can also set these values to a negative number. A negative number denotes the minimum value for a class (a class being lcredit, ucredit, dcredit, etc.), whereas a positive value is the maximum value for a class.

Let's take a look at this example:

password requisite pam_cracklib.so try_first_pass retry=3 minlength=16lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=4 reject_username

The above configuration would ensure passwords have a complexity score of 16 and include at least one character from each class. I also include the reject_username to prevent users from setting their username as a password.

Should a user attempt to change a password, and not meet the requirements, they will find out pretty quickly (Figure A).

Figure A

Figure A
Image: Jack Wallen
A failed attempt to change a password.

Keep learning

You owe it to yourself and your company to ensure that user passwords meet a certain requirement. On your Linux servers, you'll want to take advantage of the system I've outlined. You'll also want to learn as much as possible about this PAM cracklib. To find out more, open up a terminal window and issue the command man pam_cracklib. Within that man page you can learn everything there is to know about configuring PAM to enforce complex passwords.

Also see

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox