Cyber-attacks are becoming increasingly ubiquitous and difficult to deal with and Hackers relentlessly try to exploit common weak passwords. As a result, organizations have to safeguard themselves by using strong password criteria to secure their systems. In this article, we’ll take a look at the mechanics of enforcing strong password criteria on a Linux system.
Installing and configuring pwquality
We’ll be using the pwquality module for the Pluggable Authentication Module (PAM). This is a newer technology that has replaced the old cracklib module and this provides a way to configure the default password quality requirements for the system passwords.
1. Install the libpam-pwquality package:
#apt install libpam-pwquality
2. Open the /etc/security/pwquality.conf file in your preferred text editor.
When you open this file in your text editor, you’ll see that everything is commented out, which means that no password complexity criteria are in effect. You can set password complexity criteria however you want just by uncommenting the appropriate lines and setting the appropriate values.
3. Set minimum password length.
Users can not set their password length less than this parameter.
4. Set minimum number of required classes of characters for the new password. (kinds ⇒ UpperCase / LowerCase / Digits / Others)
5. Set maximum number of allowed consecutive same characters in the new password.
6. Set maximum number of allowed consecutive characters of the same class in the new password.
7. Require at least one lowercase character in the new password.
8. Require at least one uppercase character in the new password.
9. Require at least one digit in the new password.
10. Require at least one other character in the new password.
11. Set number of characters in the new password that must not be present in the old password.
12. Check whether the words longer than 3 characters from the GECOS field of the user’s passwd entry are contained in the new password.
By following this guide, you can now setup a strong password policy for your linux system using pwquality.