This article will help ensure your users are meeting password complexity requirements set by your organization. We will show you how to force password complexity for normal users on Red Hat 6 systems. This should also work on other Red Hat based systems like Fedora and CentOS.
What is Password Complexity?
For the most part this can be a very debatable discussion. Common thinking is a strong password would be comprised of AT LEAST 14 characters containing AT LEAST 1 capitalized alphabetic character, 1 lowercase alphabetic character, 1 digital, and 1 special character. Passwords should also not be based on a dictionary word.
Why Force Password complexity?
Left to their own devices most users will create a password they can remember easily. Unfortunately this usually means they will create a password also easily guessed by someone else. I have heard of people even using the word “password” or “letmein”. This poses real security concerns for a system and for user data.
Always Backup your Files
It's always a good idea to backup the files you are modifying, especially when working with pam.
cp /etc/pam.d/system-auth /root/system-auth
Configuring pam (Pluggable Authentication Modules)
Edit the file /etc/pam.d/system-auth with your favorite editor (vim, nano, etc..). Look for the line containing the pam_cracklib module like below:
password requisite pam_cracklib.so try_first_pass
We need to edit this line of the file and add the options we would like to enforce. To enforce the password complexity that we spoke about in the beginning of this article we will change the line to:
password requisite pam_cracklib.so try_first_pass retry=3 minlen=14 ucredit=-1 dcredit=-1 ocredit=-1 lcredit=-1
After changing the file be sure to save it and your done. If you have existing users on your system and you want to make sure they are meeting the password requirements you can force them to change their password on the next login. To do this we need to lock the user account, expire their password, and unlock the user account. Here are the simple step to accomplish this.
Lock an account
usermod -L johndoe
Expire their current password
chage -d 0 johndoe
Unlock their account
usermod -U johndoe
Check the status of their password
# chage -l johndoe
Last password change : password must be changed
Password expires : password must be changed
Password inactive : password must be changed
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
Options
Below is a list of options that I chose to use for my password requirements.
For a complete list see here.
retry=N
Prompt user at most N times before returning with error. The default is 1.
minlen=N
The minimum acceptable size for the new password (plus one if credits are not disabled which is the default). In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (other, upper, lower and digit). The default for this parameter is 9 which is good for a old style UNIX password all of the same type of character but may be too low to exploit the added security of a md5 system. Note that there is a pair of length limits in Cracklib itself, a “way too short” limit of 4 which is hard coded in and a defined limit (6) that will be checked without reference to minlen. If you want to allow passwords as short as 5 characters you should not use this module.
reject_username
Check whether the name of the user in straight or reversed form is contained in the new password. If it is found the new password is rejected.
dcredit=N
(N >= 0) This is the maximum credit for having digits in the new password. If you have less than or N digits, each digit will count +1 towards meeting the current minlen value. The default for dcredit is 1 which is the recommended value for minlen less than 10. (N < 0) This is the minimum number of digits that must be met for a new password.
lcredit=N
(N >= 0) This is the maximum credit for having lower case letters in the new password. If you have less than or N lower case letters, each letter will count +1 towards meeting the current minlen value. The default for lcredit is 1 which is the recommended value for minlen less than 10. (N < 0) This is the minimum number of lower case letters that must be met for a new password.
ocredit=N
(N >= 0) This is the maximum credit for having other characters in the new password. If you have less than or N other characters, each character will count +1 towards meeting the current minlen value. The default for ocredit is 1 which is the recommended value for minlen less than 10. (N < 0) This is the minimum number of other characters that must be met for a new password.
ucredit=N
(N >= 0) This is the maximum credit for having upper case letters in the new password. If you have less than or N upper case letters each letter will count +1 towards meeting the current minlen value. The default for ucredit is 1 which is the recommended value for minlen less than 10. (N < 0) This is the minimum number of upper case letters that must be met for a new password.
A better explaination of how credits work can be found in "Creating Password Policies using pwquality".
Additional Reading
Leave a Reply Cancel reply
This site uses Akismet to reduce spam. Learn how your comment data is processed.
7 Comments
Join Our Newsletter
Categories
- Bash Scripting (17)
- Basic Commands (50)
- Featured (7)
- Just for Fun (5)
- Linux Quick Tips (98)
- Linux Tutorials (65)
- Miscellaneous (15)
- Network Tools (6)
- Reviews (2)
- Security (32)
Great help - thanks for posting this.
Great post. Thank you for taking time to share this info.... SOX rocks... not!
Question, so a member of our security team for our company and to meet many compliance requirements and I need to write a script to check each of our RHEL 3/4/5 servers what would something like that have to look like to look for the dcredit, lcredit, ocredit, ucredit, if they need to be greater than or equal to 1.
Would it look something like: /etc/pam.d/system-auth ucredit=1 dcredit=1 ocredit=1 lcredit=1
or would I actually run that check against the /lib/security/$ISA/pam_cracklib.so directory?
Thanks in advance
@Todd - A simple way would be to just read the /etc/pam.d/system-auth file and check for the necessary settings. Maybe something like this:
cat /etc/pam.d/system-auth | grep credit
This should list the settings you have for password complexity, here is a sample output:
password requisite pam_cracklib.so try_first_pass retry=3 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 minlen=14
Dear Can you please confirm that
password requisite pam_cracklib.so try_first_pass retry=3 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 minlen=14
lcredit=-1
ucredit=-1
dcredit=-1
ocredit=-1
means ???
I have applied a policy in my system
password requisite pam_cracklib.so try_first_pass retry=3 lcredit=1 ucredit=-1 dcredit=1 ocredit=-1 minlen=8
but still it is asking for one Upper character & Other character like @#$ etc in password.
Please confirm
Try this:
password requisite pam_cracklib.so try_first_pass retry=3 lcredit=1 dcredit=1 minlen=8
removing ucredit (uppercase) and ocredit (other).
Read more here:
http://linux.die.net/man/8/pam_cracklib
Hi,
After configuring these settings, Still machine is not asking for complex password or minimum length.
I had applied these configuration on RHEL 6.2x 64 bit. Please suggest
password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 ucredit=1 dcredit=1 ocredit=1 lcredit=-1
Also i can see pam_cracklib.so is not installed, correct me if i am wrong.
rpm -qa | grep -i pam_*
fprintd-pam-0.1-19.git04fd09cfa.el6.x86_64
pam-1.1.1-10.el6.x86_64
gnome-keyring-pam-2.28.2-6.el6.x86_64
pam_passwdqc-1.0.5-6.el6.x86_64
pam_krb5-2.3.11-9.el6.x86_64
Thanks