16

I need to configure an Ubuntu server to follow a strict company password policy that specifies the following:

  • at least one upper case
  • at least one lower case
  • at least one digit
  • at least one special character

I've had a look around and all I have found is the instructions for specifying the password length; but, I have yet to find something that relates to specifying the content of the password regarding the above points.

Any help would be appreciated.

Kevin Bowen
  • 19,615
  • 55
  • 79
  • 83
Stephen RC
  • 4,812

2 Answers2

23

Update January 2023: the library pam_pwquality.so has in many/most cases superceded the use of pam_cracklib.so. pam_pwquality.so should be backwards compatible with pam_cracklib. See pam_pwquality.so man pages for usage details & examples.

Password complexity is enforced by the pam_cracklib module.

In order to modify the password policy for your local machine, you will need to modify your /etc/pam.d/common-password file.

From a terminal window (Ctrl+Alt+T), enter the following command:

sudo vi /etc/pam.d/common-password

Add the following line to the file (before pam_unix.so or whichever PAM module is used primarily for authentication, as can be seen from examples in the manpage) and save the file:

password requisite pam_cracklib.so ucredit=-1 lcredit=-1 dcredit=-1  ocredit=-1

This statement implements the following password requirements:

  • dcredit == digit
  • ucredit == upper-case character
  • lcredit ==lower-case character
  • ocredit == other character (special characters, including ! , @ # $ %)

This should satisfy your requirements.

You could also use the variables minlength and retries to further restrict the password requirements.

Here is another good example of modifying a password policy in this manner would be placing the following line in the /etc/pam.d/common-password file:

password requisite pam_cracklib.so retry=3 minlen=10 difok=3 ucredit=-1 lcredit=-1 dcredit=-1  ocredit=-1

This entry will set a maximum of three attempts at getting an acceptable password with a 10-character minimum length.

This sets the requirement for users to have a minimum of three characters different from the last password.

This will also fulfill the requirement of having the password contain at least one each of digit, lower-case character, and upper-case characters.

See also this article on setting up stronger password policy rules in linux.

Kevin Bowen
  • 19,615
  • 55
  • 79
  • 83
  • 3
    Excellent answer! I'd add, regarding retries, that it's important to be careful when considering a policy to prevent users from logging on who have too many recent failed login attempts. This can lead to the viability of one of the simplest and most easily executed denial of service attacks on an account (try and fail to log in X number of times until the account is "locked out" and then the legitimate user cannot get in). – Eliah Kagan Jan 17 '13 at 04:27
  • Fantastic answer, thanks :) One question though, it seems that the root user is able to ignore the password requirements... Is it possible to enforce this for the root user too? – Stephen RC Jan 17 '13 at 22:33
  • @Valorin What part of the password requirements is the root user not respecting? – Kevin Bowen Jan 18 '13 at 00:29
  • @maggotbrain Any of it, it throws a warning but still saves it, this was the password 'snare': http://paste.ubuntu.com/1543154/ – Stephen RC Jan 18 '13 at 00:45
  • @Valorin So, you've enabled the account called 'root' and can use this account with this password, correct? What warnings are you getting? Unfortunately, I don' t have a machine with an enabled root account to test this myself. It sounds like a bug, but need more info. – Kevin Bowen Jan 18 '13 at 01:39
  • @maggotbrain Yeah, we have the root login enabled and working, but more to the point you can do it with sudo as well, so try: sudo passwd your_username – Stephen RC Jan 18 '13 at 01:52
  • @Valorin I am not able to repro that issue. I can change user passwords and they respect the restricions that I place upon them. That said, I do not have the root user enabled. Take a look at the pam bugs https://bugs.launchpad.net/ubuntu/+source/pam. You may want to file a new bug against this module. – Kevin Bowen Jan 18 '13 at 03:19
  • @maggotbrain I'm running this on 10.04, so potentially something that has been fixed/changed in newer releases? I'll check the bugs list. – Stephen RC Jan 18 '13 at 04:36
  • In 14.04 the module is pam_unix.so. Options will be same of that too? – Akshay Mar 16 '17 at 05:57
  • It's 2020 and this answer is 7 years old now. I've seen several tutorials online saying that I should use pam_pwquality now instead of cracklib, without elaborating on why. Is cracklib still a good idea to use? – 9a3eedi Sep 14 '20 at 06:17
  • 1
    @9a3eedi It would be better if you asked a new question and referred to this Q&A as a reference to get answers. – Kevin Bowen Sep 14 '20 at 06:40
  • I think you now should use pam_pwquality.so – Melroy van den Berg Jan 13 '23 at 00:54
1

There's a fork of pam_cracklib by Tomas Mraz: pam_pwquality with slightly better options.

Add it with apt install libpam-pwquality or passwd will complain:

Module is unknown

caduceus
  • 251