M y linux shell user can modify their password using the passwd command. How can I force users to choose the secure password that will prevent users from using stupid passwords like “abc123”, “password”, “123456” and so on? How do I setup password quality requirements on my Debian or Ubuntu Linux server?
You need to install libpam_cracklib package which includes a PAM module that tests passwords to make sure they are not too weak during password change while using the passwd command on Linux.
Securing passwords with libpam_cracklibThe strength libpam_cracklib checks works in the following manner. At first the Cracklib routine is called to check if the password is part of a dictionary; if this is not the case an additional set of strength checks is done. These checks are:
Is the new password a palindrome? Is the new password the the old one with only a change of case? Is the new password too much like the old one? This is primarily controlled by one argument, difok which is a number of character changes (inserts, removals, or replacements) between the old and new password that are enough to accept the new password. This defaults to 5 changes. Is the new password too small? This is controlled by 6 arguments minlen, maxclassrepeat, dcredit, ucredit, lcredit, and ocredit. Is the new password a rotated version of the old password? Optional check for same consecutive characters. Optional check for too long monotonic character sequence. Optional check whether the password contains the user’s name in some form.The/etc/passwd file and/etc/shadow file are used on Linux to store user information including passwords.
InstallationType the following command to install libpam_cracklib on an Ubuntu or Debian Linux based system:
$ sudo apt install libpam-cracklibOR
$ sudo apt-get install libpam-cracklibSample outputs:
Image may be NSFW.
Clik here to view.
Fig.01: Install a PAM module called Cracklib
ConfigurationYou need to edit the file /etc/pam.d/common-password, enter:
$ sudo cp /etc/pam.d/common-password /root/ $ sudo nano /etc/pam.d/common-passwordOR
$ sudo cp /etc/pam.d/common-password /root/ $ sudo vi /etc/pam.d/common-passwordNow you can force users to have strong passwords that contain complex characters including lowercase, digits, uppercase, spacial characters and punctuation. Locate the line:
password requisite pam_cracklib.so retry=3 minlen=8 difok=3And update it as follows:
password requisite pam_cracklib.so retry=3 minlen=16 difok=3 ucredit=-1 lcredit=-2 dcredit=-2 ocredit=-2Where,
retry=3 : Prompt user at most 3 times before returning with error. The default is 1. minlen=16 : The minimum acceptable size for the new password. difok=3 : This argument will change the default of 5 for the number of character changes in the new password that differentiate it from the old password. ucredit=-1 : The new password must contain at least 1 lowercase characters. lcredit=-2 : The new password must contain at least 2 lowercase characters. dcredit=-2 : The new password must contain at least 2 digits. ocredit=-2 : The new password must contain at least 2 symbols. Negative (N>0) vs Positive (N<0) numbers in an optionOf course, these are sample values. The negative number such as -2 (e.g. ucredit=-2 ) indicates that this is the minimum number of upper case letters that must set a new password. The positive number is the maximum credit for having digits in the new password. If you have less than or N digits, each digit will count +1 towards meeting the current minlen value. The default for dcredit is 1 which is the recommended value for minlen less than 10. You may need to change/adjust these values as per your setup to avoid brute force attack.
Test itNow if user try to setup a new simple (weak) password:
$ sudo passwd vivekNew password:
BAD PASSWORD: it is too short
BAD PASSWORD: is too simple
Retype new password:
Sorry, passwords do not match.
New password:
BAD PASSWORD: it is WAY too short
BAD PASSWORD: is a palindrome
Retype new password:
Sorry, passwords do not match.
New password:
Here is a sample password that will pass our requirements:
5I!L0ve@PiaZza6YeSOR
s^8Kn<bzg9Ruv,8sAnd there you have it, secure password set automatically using security checks and constraints using libpam-cracklib on Debian or Ubuntu Linux system.
Share this tutorial on: