Setting Password Policy With PAM

Tip of the Trade: Establishing a good password policy from the start is just as critical to security as testing the strength of passwords already in use. The PAM module pam_cracklib can enforce both length and complexity.


You Can't Detect What You Can't See: Illuminating the Entire Kill Chain

On-Demand Webinar

Posted September 17, 2008

Juliet Kemp

Juliet Kemp

Last week I talked about testing the strength of users' passwords. Another way to ensure security is to set a good password policy.

The PAM module pam_cracklib can enforce both length and complexity. For length, it uses the minlen option. For complexity, it has options dcredit, ucredit, lcredit, and ocredit, which refer to digit, upper-case character, lower-case character, and other character, respectively. A value of -1 for one of these means "require one character of this type," and a value of 1 means "give 1 credit for this type." The credit system involves giving "length credits" for using non-lowercase characters (so you can have a shorter password than the minimum length if it uses non-lowercase characters), but this can be confusing for users, so it may be best to just require certain types of character.

Try the following line in /etc/pam.d/common-password in Debian-type distros or /etc/pam.d/system-auth in RedHat-type distros:

password requisite pam_cracklib.so retry=3 minlen=10 
   difok=3 dcredit=-1 ucredit=-1 lcredit=-1
This will set a maximum of three attempts at getting an acceptable password (users can always rerun passwd to try again); a 10-character minimum length; a minimum of three characters different from the last password; and a requirement that the password contain at least one each of digit, lower-case character, and upper-case character.

Finally, to make all your users change their passwords regularly, edit the /etc/login.defs file to set the PASS_MAX_DAYS variable to the maximum time allowed before changing a password. This affects only new accounts; use the command chage to affect existing users.

This article was first published on ServerWatch.com.

Tags: PHP, security, IT, policy

Comment and Contribute


(Maximum characters: 1200). You have characters left.



IT Management Daily
Don't miss an article. Subscribe to our newsletter below.

By submitting your information, you agree that datamation.com may send you Datamation offers via email, phone and text message, as well as email offers about other products and services that Datamation believes may be of interest to you. Datamation will process your information in accordance with the Quinstreet Privacy Policy.