≡ Menu

How to set password strength requirements on Linux?

The question – I want to set some minimum password length and strength requirements on my Linux CentOS machine. Is there a Linux command or directive to do this?

The password authentication module (PAM) called pam_cracklib.so will perform several checks before a password is accepted. Note that on a Linux machine, users can change their own password. The rules that are enforced by the PAM module are applicable to all password changes. The PAM module can check for several things:

  1. Same password: The user cannot use the same password again.
  2. Minimum Length: The password entered by a user should have a minimum length (or say 8 characters)
  3. Password strength: The password gets credits for several things like an uppercase character, a special character, a digit in the password etc. The PAM module will then enforce the strength of the password based on these credits.

The PAM module will reject passwords that are rotations of the old password, very similar to the old password, just changed a character, too simple passwords etc.

The file to be modified in this case is called the following:

/etc/pam.d/system-auth

To enforce certain rules for passwords, use the following syntax:

password required pam_cracklib.so minlen=6 lcredit=-1 ucredit=-1 ocredit=-1 dcredit=-1

The above line in the system-auth file will enforce at least one lowercase letter (lcredit), at least one upper case letter (ucredit), at least one digit (dcredit) and at least one other character (ocredit).

By using negative values, you instruct the PAM module to enforce the rules instead of giving credits and assessing strength. The minlen argument enforces that the password minimum length should be at least 6 characters.

For more information on the system-auth file and the pam_cracklib module, use the man pages:

man system-auth
man pam_cracklib

{ 0 comments… add one }

Leave a Comment