How can I set a secure or complex password policy on Ubuntu / Debian Linux system?. By default, Linux is not secure and more configurations are required for a new server installation to ensure it is hardened and secure from the bad guys. If users set weak passwords for their accounts, it becomes easy for hackers to brute-force and

When creating a local user on Linux, you can give it any password and it will accept – even the weakest such as “password“. This default setting poses a security risk to your Production environment if users are allowed to reset their password.
In this blog post, we will show you how you can enforce use of strong user passwords in Linux. This will work for both new user creation and for password resetting.
Enforce secure password Policy on Debian / Ubuntu
Enforce users to change password every 30 days or less
$ sudo /etc/login.defs
...
PASS_MAX_DAYS 30
We will use the pwquality/pam_pwquality PAM module to set the default password quality requirements for the system passwords.
Install libpam-pwquality package on your Ubuntu / Debian system.
sudo apt-get -y install libpam-pwquality cracklib-runtime
After the package installation, you’ll need to edit the /etc/pam.d/common-password
file to set password requirements.
sudo vim /etc/pam.d/common-password
Change line 25
from:
password requisite pam_pwquality.so retry=3
To
password requisite pam_pwquality.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root
Options used.
- retry=3: Prompt a user 3 times before returning with
error . minlen=8 : The password length
cannot be less than this parameter- maxrepeat=3: Allow a maximum
of 3 repeated
characters ucredit=-1 : Require at leastone uppercase
character lcredit=-1 : Must have at leastone lowercase
character .dcredit=-1 : must have at leastone digit
difok=3 : The number of characters in the new password that must not have been present in the old password.- gecoscheck=1: Words in the GECOS field of the user’s passwd entry are not contained in the new password.
- reject_username: Rejects the password if contains the name of the user in either straight or reversed form.
- enforce_for_root: Enforce
pasword policy for root user
Change the settings to fit your desired password policy then reboot your system.
sudo reboot
You can then add a test
sudo useradd test
Try to set a weak password.
sudo passwd test
Also check:
How to Install Metasploit Framework on Ubuntu 18.04 / Debian 9
How to Install Nessus Scanner on Ubuntu 18.04 / Debian 9
How to Perform Information Gathering on Linux with Digger
How to Install OSSEC HIDS on Ubuntu 18.04 / 16.04 / Debian 9
How to Setup IPSec VPN server with L2TP and Cisco IPsec on Ubuntu / CentOS / Debian