How can I set a secure or complex password policy on Ubuntu / Debian Linux system?. By default, Linux is not secure and more configurations are required for a new server installation to ensure it is hardened and secure from the bad guys. If users set weak passwords for their accounts, it becomes easy for hackers to brute-force and compromise the accounts.

set user password policy ubuntu debian 1

When creating a local user on Linux, you can give it any password and it will accept – even the weakest such as “password“. This default setting poses a security risk to your Production environment if users are allowed to reset their password.

In this blog post, we will show you how you can enforce use of strong user passwords in Linux. This will work for both new user creation and for password resetting.

Enforce secure password Policy on Debian / Ubuntu

Enforce users to change password every 30 days or less

$ sudo vim /etc/login.defs
...
PASS_MAX_DAYS   30

We will use the pwquality/pam_pwquality PAM module to set the default password quality requirements for the system passwords.

Install libpam-pwquality package on your Ubuntu / Debian system.

sudo apt update
sudo apt -y install libpam-pwquality cracklib-runtime

After the package installation, you’ll need to edit the /etc/pam.d/common-password file to set password requirements.

sudo vim /etc/pam.d/common-password

Change line 25 from:

password   requisite   pam_pwquality.so retry=3

To

password requisite pam_pwquality.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root

Options used.

  • retry=3: Prompt a user 3 times before returning with error.
  • minlen=8 : The password length cannot be less than this parameter
  • maxrepeat=3: Allow a maximum of 3 repeated characters
  • ucredit=-1 : Require at least one uppercase character
  • lcredit=-1 : Must have at least one lowercase character.
  • dcredit=-1 : must have at least one digit
  • difok=3 : The number of characters in the new password that must not have been present in the old password.
  • gecoscheck=1: Words in the GECOS field of the user’s passwd entry are not contained in the new password.
  • reject_username: Rejects the password if contains the name of the user in either straight or reversed form.
  • enforce_for_root: Enforce pasword policy for root user

Change the settings to fit your desired password policy then reboot your system.

sudo reboot

You can then add a test user account to confirm that your Password policy is working.

sudo useradd  test

Try to set a weak password.

sudo passwd test

Recommended books:

Also check:

RELATED ARTICLESMORE FROM AUTHOR

1 COMMENT

  1. after reboot, existing logins fail after password entry, existing passwords do not meet given criteria. unable to login at all now, even root.

LEAVE A REPLY

Please enter your comment!
Please enter your name here