Setting Password Policy With PAM

Tip of the Trade: Establishing a good password policy from the start is just as critical to security as testing the strength of passwords already in use. The PAM module pam_cracklib can enforce both length and complexity.


No-Size-Fits-All! An Application-Down Approach for Your Cloud Transformation


Posted September 17, 2008

Juliet Kemp

Juliet Kemp

Last week I talked about testing the strength of users' passwords. Another way to ensure security is to set a good password policy.

The PAM module pam_cracklib can enforce both length and complexity. For length, it uses the minlen option. For complexity, it has options dcredit, ucredit, lcredit, and ocredit, which refer to digit, upper-case character, lower-case character, and other character, respectively. A value of -1 for one of these means "require one character of this type," and a value of 1 means "give 1 credit for this type." The credit system involves giving "length credits" for using non-lowercase characters (so you can have a shorter password than the minimum length if it uses non-lowercase characters), but this can be confusing for users, so it may be best to just require certain types of character.

Try the following line in /etc/pam.d/common-password in Debian-type distros or /etc/pam.d/system-auth in RedHat-type distros:

password requisite retry=3 minlen=10 
   difok=3 dcredit=-1 ucredit=-1 lcredit=-1
This will set a maximum of three attempts at getting an acceptable password (users can always rerun passwd to try again); a 10-character minimum length; a minimum of three characters different from the last password; and a requirement that the password contain at least one each of digit, lower-case character, and upper-case character.

Finally, to make all your users change their passwords regularly, edit the /etc/login.defs file to set the PASS_MAX_DAYS variable to the maximum time allowed before changing a password. This affects only new accounts; use the command chage to affect existing users.

This article was first published on

Tags: PHP, security, IT, policy

Comment and Contribute


(Maximum characters: 1200). You have characters left.



IT Management Daily
Don't miss an article. Subscribe to our newsletter below.