How to force users to use secure passwords on Ubuntu/Debian Linux

Posted on in Categories , , , last updated August 29, 2016

My Linux shell user can modify their password using the passwd command. How can I force users to choose the secure password that will prevent users from using stupid passwords like “abc123”, “password”, “123456” and so on? How do I setup password quality requirements on my Debian or Ubuntu Linux server?

You need to install libpam_cracklib package which includes a PAM module that tests passwords to make sure they are not too weak during password change while using the passwd command on Linux.

Securing passwords with libpam_cracklib

The strength libpam_cracklib checks works in the following manner. At first the Cracklib routine is called to check if the password is part of a dictionary; if this is not the case an additional set of strength checks is done. These checks are:

  1. Is the new password a palindrome?
  2. Is the new password the the old one with only a change of case?
  3. Is the new password too much like the old one? This is primarily controlled by one argument, difok which is a number of character changes (inserts, removals, or replacements) between the old and new password that are enough to accept the new password. This defaults to 5 changes.
  4. Is the new password too small? This is controlled by 6 arguments minlen, maxclassrepeat, dcredit, ucredit, lcredit, and ocredit.
  5. Is the new password a rotated version of the old password?
  6. Optional check for same consecutive characters.
  7. Optional check for too long monotonic character sequence.
  8. Optional check whether the password contains the user’s name in some form.

The /etc/passwd file and /etc/shadow file are used on Linux to store user information including passwords.

Installation

Type the following command to install libpam_cracklib on an Ubuntu or Debian Linux based system:
$ sudo apt install libpam-cracklib
OR
$ sudo apt-get install libpam-cracklib
Sample outputs:

Fig.01: Install a PAM module called Cracklib
Fig.01: Install a PAM module called Cracklib

Configuration

You need to edit the file /etc/pam.d/common-password, enter:
$ sudo cp /etc/pam.d/common-password /root/
$ sudo nano /etc/pam.d/common-password

OR
$ sudo cp /etc/pam.d/common-password /root/
$ sudo vi /etc/pam.d/common-password

Now you can force users to have strong passwords that contain complex characters including lowercase, digits, uppercase, spacial characters and punctuation. Locate the line:

password        requisite                       pam_cracklib.so retry=3 minlen=8 difok=3

And update it as follows:

password        requisite                       pam_cracklib.so retry=3 minlen=16 difok=3 ucredit=-1 lcredit=-2 dcredit=-2 ocredit=-2

Where,

  • retry=3 : Prompt user at most 3 times before returning with error. The default is 1.
  • minlen=16 : The minimum acceptable size for the new password.
  • difok=3 : This argument will change the default of 5 for the number of character changes in the new password that differentiate it from the old password.
  • ucredit=-1 : The new password must contain at least 1 uppercase characters.
  • lcredit=-2 : The new password must contain at least 2 lowercase characters.
  • dcredit=-2 : The new password must contain at least 2 digits.
  • ocredit=-2 : The new password must contain at least 2 symbols.

Negative (N>0) vs Positive (N<0) numbers in an option

Of course, these are sample values. The negative number such as -2 (e.g. ucredit=-2) indicates that this is the minimum number of upper case letters that must set a new password. The positive number is the maximum credit for having digits in the new password. If you have less than or N digits, each digit will count +1 towards meeting the current minlen value. The default for dcredit is 1 which is the recommended value for minlen less than 10. You may need to change/adjust these values as per your setup to avoid brute force attack.

Test it

Now if user try to setup a new simple (weak) password:
$ sudo passwd vivek
New password:
BAD PASSWORD: it is too short
BAD PASSWORD: is too simple
Retype new password:
Sorry, passwords do not match.
New password:
BAD PASSWORD: it is WAY too short
BAD PASSWORD: is a palindrome
Retype new password:
Sorry, passwords do not match.
New password:

Here is a sample password that will pass our requirements:

[email protected]

OR

s^8Kn<bzg9Ruv,8s

And there you have it, secure password set automatically using security checks and constraints using libpam-cracklib on Debian or Ubuntu Linux system.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

7 comment

  1. Excellent post. Thanks!!!

    Just one correction because probably copy/paste error
    “ucredit=-1 : The new password must contain at least 1 lowercase characters.” << ucredit should be about uppercase letters.

  2. “Now you can force users to have strong passwords that contain complex characters including lowercase, digits, uppercase, spacial characters and punctuation.”

    A strong password does not have to have digits, uppercase, spacial characters and punctuation. It could simply be four lowercase dictionary words. As long as you have entropy of some kind, you don’t need to mandate hard-to-remember characters!

    https://stormpath.com/blog/5-myths-password-security

  3. I want below implementation on my centos server:
    1) Create one database user to login in my sqlyog.
    2) Map the databases with that user.

  4. Brilliant suggestion. Force users to select passwords they can’t remember, so they will have to write them on a stick-up note that they will attach to their computers. Brilliant indeed.

  5. Nice Explanation, Thanks

    One query, I am trying to apply this enforcing parameter for root, but difok is not working . Could anyone help here?

    Thanks in Advance

Comments are closed.