How can I set a secure or complex password policy on Ubuntu / Debian Linux system?. By default, Linux is not secure and more configurations are required for a new server installation to ensure it is hardened and secure from the bad guys. If users set weak passwords for their accounts, it becomes easy for hackers to brute-force and
When creating a local user on Linux, you can give it any password and it will accept – even the weakest such as “password“. This default setting poses a security risk to your Production environment if users are allowed to reset their password.
In this blog post, we will show you how you can enforce use of strong user passwords in Linux. This will work for both new user creation and for password resetting.
Enforce secure password Policy on Debian / Ubuntu
Enforce users to change password every 30 days or less
$ sudo /etc/login.defs
Install libpam-pwquality package on your Ubuntu / Debian system.
sudo apt-get -y install libpam-pwquality cracklib-runtime
After the package installation, you’ll need to edit the
/etc/pam.d/common-password file to set password requirements.
sudo vim /etc/pam.d/common-password
password requisite pam_pwquality.so retry=3
password requisite pam_pwquality.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root
- retry=3: Prompt a user 3 times before returning with
error. minlen=8 : The
cannotbe less than this parameter
- maxrepeat=3: Allow a maximum
characters ucredit=-1 :Require at least one
character lcredit=-1 :Must have at least one
character. dcredit=-1 :must have at least
difok=3 :The number of characters in the new password that must not have been present in the old password.
- gecoscheck=1: Words in the GECOS field of the user’s passwd entry are not contained in the new password.
- reject_username: Rejects the password if contains the name of the user in either straight or reversed form.
- enforce_for_root: Enforce
paswordpolicy for root user
Change the settings to fit your desired password policy then reboot your system.
You can then add a test
sudo useradd test
Try to set a weak password.
sudo passwd test