How do I enforce a password complexity policy?

security password pam

I need to configure an Ubuntu server to follow a strict company password policy that specifies the following:

  • at least one upper case
  • at least one lower case
  • at least one digit
  • at least one special character

I've had a look around and all I have found is the instructions for specifying the password length; but, I have yet to find something that relates to specifying the content of the password regarding the above points.

Any help would be appreciated.


Solution 1:

Password complexity is enforced by the pam_cracklib module.

In order to modify the password policy for your local machine, you will need to modify your /etc/pam.d/common-password file.

From a terminal window (Ctrl+Alt+T), enter the following command:

sudo -i gedit /etc/pam.d/common-password

Add the following line to the file (before pam_unix.so or whichever PAM module is used primarily for authentication, as can be seen from examples in the manpage) and save the file:

password requisite pam_cracklib.so ucredit=-1 lcredit=-1 dcredit=-1  ocredit=-1

This statement implements the following password requirements:

  • dcredit == digit
  • ucredit == upper-case character
  • lcredit ==lower-case character
  • ocredit == other character (special characters, including ! , @ # $ %)

This should satisfy your requirements.

You could also use the variables minlength and retries to further restrict the password requirements.

Here is another good example of modifying a password policy in this manner would be placing the following line in the /etc/pam.d/common-password file:

password requisite pam_cracklib.so retry=3 minlen=10 difok=3 ucredit=-1 lcredit=-1 dcredit=-1  ocredit=-1

This entry will set a maximum of three attempts at getting an acceptable password with a 10-character minimum length.

This sets the requirement for users to have a minimum of three characters different from the last password.

This will also fulfill the requirement of having the password contain at least one each of digit, lower-case character, and upper-case characters.

See also this article on setting up stronger password policy rules in linux.

Solution 2:

There's a fork of pam_cracklib by Tomas Mraz: pam_pwquality with slightly better options.

Add it with apt install libpam-pwquality or passwd will complain:

Module is unknown

Related

Getting output from a cron job on the terminal
How do I set the default file association in Ubuntu Nautilus to something that is not listed in the Open With tab?
Sudo comes up with an error, cannot run anything as root
How to customize files context menu in Xubuntu XFCE Thunar file manager?
How to set the first picture of every folder as its folder icon?
Referencing environment variables *in* /etc/environment?
How do I get the latest version of winetricks on Ubuntu?
Picture/Video capture programs
Can I take a screenshot of a virtual console?
How can I remove fonts that I never use, from libreoffice and linux in general?
Why doesn't Steam start?
What's the maximum amount of RAM I can use on an specific hardware