Server User Password Management: Best Practices

Managing a dedicated server requires a bit of babysitting. Even though most website owners and users have been told once or possibly even several times to make secure passwords, many do not. They may actually have pretty good reasons to use weak passwords, especially if they have multiple accounts in various systems.

Because of this, you can either accept poor password practices by your server’s users or enforce policies that monitor password usage and encourage users to keep updated, secure passwords. There are a few ways to accomplish this. You can manage password aging, password reuse, and password complexity.

1. Aging – On a Linux server, the “chage” command manages the age policies for passwords. To set the minimum number of days between password changes, enter as root:

chage -m NN username

“NN’ would be the number of days and “username” should be the user you want to assist. For example:

chage -m 90 maire

In this example, your user named Maire will be forced to change her password after 90 days.

2. Reuse – To limit password reuse, you will need to open the auth configuration file for PAM (pluggable authentication modules). In it you can set the number of passwords you want PAM to remember. For example, to prevent users from using any of their last 10 passwords, edit the file /etc/pam.d/system-auth (it may have different names in various distributions, such as common-auth).

Find the line that begins with “password” and add “remember=10” to the end of it.

password sufficient use_authtok md5 shadow remember=10

Save the file and close it. That will prevent users from reusing the same passwords and make your server a little more secure. Feel free to raise or lower the number, depending on your needs.

Tomorrow, we will learn about password complexity.