Sunday, May 16, 2021

Setting Password Policy With PAM

Last week I talked about testing the strength of users’ passwords. Another
way to ensure security is to set a good password policy.

The PAM module pam_cracklib can enforce both length and
complexity. For length, it uses the minlen option. For complexity, it
has options dcredit, ucredit, lcredit, and

ocredit, which refer to digit, upper-case character, lower-case
character, and other character, respectively. A value of -1 for one of these
means “require one character of this type,” and a value of 1 means “give 1
credit for this type.” The credit system involves giving “length credits” for
using non-lowercase characters (so you can have a shorter password than the
minimum length if it uses non-lowercase characters), but this can be confusing
for users, so it may be best to just require certain types of character.

Try the following line in /etc/pam.d/common-password in Debian-type distros or
/etc/pam.d/system-auth in RedHat-type distros:

password requisite retry=3 minlen=10 
   difok=3 dcredit=-1 ucredit=-1 lcredit=-1

This will set a maximum of three attempts at getting an acceptable password (users
can always rerun passwd to try again); a 10-character minimum length;
a minimum of three characters different from the last password; and a requirement
that the password contain at least one each of digit, lower-case character,
and upper-case character.

Finally, to make all your users change their passwords regularly, edit the
/etc/login.defs file to set the PASS_MAX_DAYS variable to
the maximum time allowed before changing a password. This affects only new
accounts; use the command chage to affect existing users.

This article was first published on

Similar articles

Latest Articles

How IBM has Changed...

Think is IBM’s big annual conference, and again this year, it was digital. I’m noticing a sharp quality difference in shows like this where...

Database-Tuning Platform Launches and...

PITTSBURGH — A team out of Carnegie Mellon University is launching its automatic database-tuning product today with the help of $2.5 million in funding.   OtterTune,...

Top 10 Professional Services...

Professional services automation (PSA) software aims to offer service-based companies most of the software they will need to run their businesses in one package....

What is Data Aggregation?

Data aggregation is the process where raw data is gathered and presented in a summarized format for statistical analysis. The data may be gathered...