Level 1 - Server Level 1 - Workstation
The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options.
try_first_pass - retrieve the password from a previous stacked PAM module. If not available, then prompt the user for a password.retry=3 - Allow 3 tries before sending back a failure.
The following options are set in the /etc/security/pwquality.conf file:
minlen=14 - password must be 14 characters or moredcredit=-1 - provide at least one digitucredit=-1 - provide at least one uppercase characterocredit=-1 - provide at least one special characterlcredit=-1 - provide at least one lowercase characterThe settings shown above are one possible policy. Alter these values to conform to your own organization's password policies.
Strong passwords protect systems from being hacked through brute force methods..
Run the following commands and verify all password requirements are as listed or stricter:
# grep pam_pwquality.so /etc/pam.d/common-password password requisite pam_pwquality.so try_first_pass retry=3 # grep ^minlen /etc/security/pwquality.conf minlen=14 # grep ^dcredit /etc/security/pwquality.conf dcredit=-1 # grep ^lcredit /etc/security/pwquality.conf lcredit=-1 # grep ^ocredit /etc/security/pwquality.conf ocredit=-1 # grep ^ucredit /etc/security/pwquality.conf ucredit=-1
Run the following command to install the pam_pwquality module:
apt-get install libpam-pwquality
Edit the /etc/pam.d/common-password file to include the appropriate options for pam_pwquality.so and to conform to site policy:
password requisite pam_pwquality.so try_first_pass retry=3
Edit /etc/security/pwquality.conf to add or update the following settings to conform to site policy:
minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
Additional module options may be set, recommendation only covers those listed here.