A strong password must have 14 characters which should include one special character, one number and one uppercase and one lowercase. Password shouldn’t be predictable and shouldn’t be based on dictionary words. Some administrators / non-techie users do not understand how important Debian and Ubuntu distros are strong passwords and security. These administrators / non-techie users predictable passwords like pass123, welcome123, P@ssword123, and these types of passwords are easy to crack.
This article forces users to use strong passwords in DEB based distributions like Debian, Ubuntu, Linux Mint using Pluggable Authentication Modules(PAM)
The Pluggable Authentication Modules (PAM) is by default is installed in DEB based systems. The next step is to install an additional module called libpam-cracklib.
Run the following command from Terminal
$ sudo apt-get install libpam-cracklib
The password policies are defined in /etc/pam.d/common-password file in DEB based systems. The next step is to backup this file before making changes.
$ sudo cp /etc/pam.d/common-password /etc/pam.d/common-password.bak
The next step is to edit the /etc/pam.d/common-password file. Open the file in an editor like nano or vi etc.
$ sudo nano /etc/pam.d/common-password
Find and change the following like below –
password required pam_cracklib.so try_first_pass retry=3 minlen=12 lcredit=1 ucredit=1 dcredit=2 ocredit=1 difok=2 reject_username
Description of each option mentioned above –
Based on the above information, users should use a password with a complexity score of 12. You can disable the credits by assigning negative values and force the user to use a combination of different characters with a minimum length.
The next step is to verify the password complexity –
The above output shows that users cannot set the password as it does not meet the minimum requirements.
The next output shows that the new password is set as it is based on the defined policy and is secure, i.e. one lowercase, one uppercase, two digits and one other character.