How to Configure Linux Password Policies

One of your best weapons in the fight for server security is strong password management. Using the password policies you set in Linux, you enforce strong passwords, require password renewals and many other effective security measures.

First, you should install the cracklib module for PAM. Cracklib tests password strength. If you are using RHEL, CentOS or Fedora, it is installed by default. You can find password security options in /etc/pam.d

To set the minimum password length, edit /etc/pam.d/system-auth on Red Hat distributions or /etc/pam.d/common-password on Debian distros. The length setting will look something like this:

password requisite retry=3 minlen=8 difok=3

Where minlen is the length in characters. In this example, the minimum length is 8 characters. The “difok” setting specifies the number of characters that must be different from the previous password.

Next, you can set password complexity in a line that contains “password” and “”. It will look like this:

password requisite retry=3 minlen=10 difok=3 ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1

“ucredit” is the number of uppercase letters. “lcredit” is the number of lowercase letters. “dcredit” is the number of numerals, and “ocredit” is the number of symbols.

For more on PAM and all that it can do to manage your passwords, see the online documentation.