How can I set a secure or complex password policy on Ubuntu / Debian Linux system?. By default, Linux is not secure and more configurations are required for a new server installation to ensure it is hardened and secure from the bad guys. If users set weak passwords for their accounts, it becomes easy for hackers to brute-force and compromise the accounts.

set user password policy ubuntu debian 1

When creating a local user on Linux, you can give it any password and it will accept – even the weakest such as “password“. This default setting poses a security risk to your Production environment if users are allowed to reset their password.

In this blog post, we will show you how you can enforce use of strong user passwords in Linux. This will work for both new user creation and for password resetting.

Enforce secure password Policy on Debian / Ubuntu

Enforce users to change password every 30 days or less

$ sudo /etc/login.defs

We will use the pwquality/pam_pwquality PAM module to set the default password quality requirements for the system passwords.

Install libpam-pwquality package on your Ubuntu / Debian system.

sudo apt-get -y install libpam-pwquality cracklib-runtime

After the package installation, you’ll need to edit the /etc/pam.d/common-password file to set password requirements.

sudo vim /etc/pam.d/common-password

Change line 25 from:

password   requisite retry=3


password    requisite retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root

Options used.

  • retry=3: Prompt a user 3 times before returning with error.
  • minlen=8 : The password length cannot be less than this parameter
  • maxrepeat=3: Allow a maximum of 3 repeated characters
  • ucredit=-1 : Require at least one uppercase character
  • lcredit=-1 : Must have at least one lowercase character.
  • dcredit=-1 : must have at least one digit
  • difok=3 : The number of characters in the new password that must not have been present in the old password.
  • gecoscheck=1: Words in the GECOS field of the user’s passwd entry are not contained in the new password.
  • reject_username: Rejects the password if contains the name of the user in either straight or reversed form.
  • enforce_for_root: Enforce pasword policy for root user

Change the settings to fit your desired password policy then reboot your system.

sudo reboot

You can then add a test user account to confirm that your Password policy is working.

sudo useradd  test

Try to set a weak password.

sudo passwd test

Also check:

How to Install Metasploit Framework on Ubuntu 18.04 / Debian 9

How to Install Nessus Scanner on Ubuntu 18.04 / Debian 9

How to Perform Information Gathering on Linux with Digger

How to Install OSSEC HIDS on Ubuntu 18.04 / 16.04 / Debian 9

How to Setup IPSec VPN server with L2TP and Cisco IPsec on Ubuntu / CentOS / Debian

Your support is our everlasting motivation,
that cup of coffee is what keeps us going!

As we continue to grow, we would wish to reach and impact more people who visit and take advantage of the guides we have on our blog. This is a big task for us and we are so far extremely grateful for the kind people who have shown amazing support for our work over the time we have been online.

Thank You for your support as we work to give you the best of guides and articles. Click below to buy us a coffee.


  1. after reboot, existing logins fail after password entry, existing passwords do not meet given criteria. unable to login at all now, even root.


Please enter your comment!
Please enter your name here