How to force users to use secure passwords on Ubuntu/Debian Linux

ADVERTISEMENTS



Securing passwords with libpam_cracklib

My Linux shell user can modify their password using the passwd command. How can I force users to choose the secure password that will prevent users from using stupid passwords like “abc123”, “password”, “123456” and so on? How do I setup password quality requirements on my Debian or Ubuntu Linux server?You need to install libpam_cracklib package which includes a PAM module that tests passwords to make sure they are not too weak during password change while using the passwd command on Linux.

The strength libpam_cracklib checks works in the following manner. At first the Cracklib routine is called to check if the password is part of a dictionary; if this is not the case an additional set of strength checks is done. These checks are:

Is the new password a palindrome? Is the new password the the old one with only a change of case? Is the new password too much like the old one? This is primarily controlled by one argument, difok which is a number of character changes (inserts, removals, or replacements) between the old and new password that are enough to accept the new password. This defaults to 5 changes. Is the new password too small? This is controlled by 6 arguments minlen, maxclassrepeat, dcredit, ucredit, lcredit, and ocredit. Is the new password a rotated version of the old password? Optional check for same consecutive characters. Optional check for too long monotonic character sequence. Optional check whether the password contains the user’s name in some form.

How to force users to use secure passwords on Ubuntu/Debian

The /etc/passwd file and /etc/shadow file are used on Linux to store user information including passwords.

Installation

Type the following command to install libpam_cracklib on an Ubuntu or Debian Linux based system:

$ sudo apt install libpam-cracklib

OR

$ sudo apt-get install libpam-cracklib

Sample outputs:



Configuration

You need to edit the file /etc/pam.d/common-password, enter:

$ sudo cp /etc/pam.d/common-password /root/

$ sudo nano /etc/pam.d/common-password

OR

$ sudo cp /etc/pam.d/common-password /root/

$ sudo vi /etc/pam.d/common-password

Now you can force users to have strong passwords that contain complex characters including lowercase, digits, uppercase, spacial characters and punctuation. Locate the line:

password requisite pam_cracklib.so retry=3 minlen=8 difok=3

And update it as follows:

password requisite pam_cracklib.so retry=3 minlen=16 difok=3 ucredit=-1 lcredit=-2 dcredit=-2 ocredit=-2

Where,

retry=3 : Prompt user at most 3 times before returning with error. The default is 1.

: Prompt user at most 3 times before returning with error. The default is 1. minlen=16 : The minimum acceptable size for the new password.

: The minimum acceptable size for the new password. difok=3 : This argument will change the default of 5 for the number of character changes in the new password that differentiate it from the old password.

: This argument will change the default of 5 for the number of character changes in the new password that differentiate it from the old password. ucredit=-1 : The new password must contain at least 1 uppercase characters.

: The new password must contain at least 1 uppercase characters. lcredit=-2 : The new password must contain at least 2 lowercase characters.

: The new password must contain at least 2 lowercase characters. dcredit=-2 : The new password must contain at least 2 digits.

: The new password must contain at least 2 digits. ocredit=-2 : The new password must contain at least 2 symbols.

Negative (N>0) vs Positive (N<0) numbers in an option

Of course, these are sample values. The negative number such as -2 (e.g. ucredit=-2 ) indicates that this is the minimum number of upper case letters that must set a new password. The positive number is the maximum credit for having digits in the new password. If you have less than or N digits, each digit will count +1 towards meeting the current minlen value. The default for dcredit is 1 which is the recommended value for minlen less than 10. You may need to change/adjust these values as per your setup to avoid brute force attack.

Test it

Now if user try to setup a new simple (weak) password:

$ sudo passwd vivek

New password:

BAD PASSWORD: it is too short

BAD PASSWORD: is too simple

Retype new password:

Sorry, passwords do not match.

New password:

BAD PASSWORD: it is WAY too short

BAD PASSWORD: is a palindrome

Retype new password:

Sorry, passwords do not match.

New password:

Here is a sample password that will pass our requirements:

5I!L0ve@PiaZza6YeS

OR

s^8Kn<bzg9Ruv,8s

Conclusion

And there you have it, secure password set automatically using security checks and constraints using libpam-cracklib on Debian or Ubuntu Linux system. You learned how to use a PAM module that tests passwords to make sure they are not too weak during password change.