On a dedicated server, password complexity determines the length and character combinations of user passwords. In Linux password management is controlled by PAM (pluggable authentication modules), which is installed by default.
Unfortunately, configuring PAM is no walk in the park. Once you figure it out, however, you will not have to configure it very often. The specific portion of PAM that handles password complexity is called “cracklib”, and it is found in /etc/pam.d/systemauth on most Redhat-based systems.
Begin by editing the file as root:
Next, change the following line from:
password requisite pam_cracklib.so try_first_pass retry=3
password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1
minlen means the minimum length it will allow for a password. 8 is standard, but you can make it longer or shorter.
lcredit refers to the minimum number of lowercase letters allowed, and ucredit is for uppercase.
dcredit specifies the number of numeric digits allowed.
ocredit will regulate the number of other characters.
All of the options are configurable, so choose the numbers that best fit the type of passwords you want your users to have. They can be as simple or as complex as you want. Good passwords will have combinations of letters and numbers and will not use any dictionary words. Better passwords will also include upper and lower case letters.
Remember that any changes made under /etc will be system-wide. In other words, the new password rules will apply to everyone, including you. The restrictions you put in place are ones you will have to live with as well, so make sure you do not require passwords with a minimum of 30 characters, unless your top secret security clearance requires it.
- How to Configure Linux Password Policies
- Best Practices for Password Security
- Automated Password Generator (APG)
- Server User Password Management: Best Practices
- How to Require Regular Password Changes