How do you set requirements (such as minimum length) on passwords?

security password pam

Is there any way to set up minimum passcode requirements, such as a minimum length, requirement of mixed case alphanumerics and at least 1 symbol in the passcode, and enforce that at passcode changes?


Password complexity in Ubuntu is controlled by PAM. Unfortunately, PAM is "typically Unix" like in its approach. Meaning that it spreads its configuration through a large number of very confusing files.

The file that controls password complexity is:

/etc/pam.d/common-password

There is a line:

password [success=1 default=ignore] pam_unix.so obscure sha512

Which defines the basic rules for password complexity. You can add a minimum length override by changing it to:

password [success=1 default=ignore] pam_unix.so obscure sha512 minlen=12

or whatever minimum you want. As you can see, the default already defines some basic obscurity rules. These basic rules can be seen in:

man pam_unix

Search for "obscure".

There are a large number of pam modules that can be installed.

apt-cache search libpam-

Should show you them.

You will need to hunt down the documenation for them I'm afraid. But the "cracklib" is a common addition.

UPDATE: I should have pointed out that the default "obscure" parameter includes tests for complexity based on previous passwords and simplicity (length, number of different types of character). The example in the manpage shows cracklib in action. Install libpam_cracklib to get that working.

Also, once you have worked out what to change, the changes are the same in other files so that you can enforce the same (or different) password checks for SSH and other applications.


Pre-installed PAM modules allow you to set up basic requirements within the light of complexity. There is a nice module which is a successor of pam_cracklib module - pam_pwquality. In order to install it type the following

apt-get install libpam-pwquality

then get familiar with this one

man pam_pwquality

especially with the "Options" section.

Now you can edit the common-password in /etc/pam.d/

vi /etc/pam.d/common-password

find the line which contains the following "password requisite pam_pwquality.so" statement and after pam_pwquality.so attach your options like this

password        requisite         pam_pwquality.so minlen=16 ucredit=-4 retry=3

which stands for "the minimum size of password is 16 characters, where minimum 4 of them a uppercase. Prompt user for password 3 times.

pam_pwquality allows you make much more complex password requirements in combination with other modules like pam_pwhistory. Good luck


Password values are controlled in the file 

/etc/pam.d/common-password

For more information on how to modify the file see pam_unix manpage

Related

Having problem with fonts in vim-airline
Where can I find the default printing test page?
notify-send does nothing, yet, libnotify is installed
Cannot resize windows at lower right corner?
"Cannot open: Permission denied" when creating a tar file
How can I create a new profile for Gnome terminal via command line?
check-new-release process eating up resources on Ubuntu server 13.04
How to find out what graphics driver is installed?
How to change default "Categories" and "Sources" in Unity Dash?
Does linux have a signature system for executables?
Understanding chmod Symbolic Notation and use of Octal
/dev/sda1: Inodes that were part of a corrupted orphan linked list found