Force strong passwords

PDF

On a Linux machine users normaly can change the password of their own account. A lot of users use weak passwords and their password might be cracked with a dictionary-, or brute-force attack. The PAM module pam_cracklib.so will perform a number of checks on the new password. For example, the new password may not match the old password, the new password may not be the old password reversed neither the same password but in different case. Weak passwords are not allowed. (These check are also done by the module pam_unix if set to obscure.)

With pam_cracklib you can force the length and strength of passwords. minlen controls the minimum password length. This parameter might be a little different as think right now. Using the credit parameters (lcredit, ucredit, dcredit and/or ocredit respectively lower-case, upper-case, digit, other) might change the behaviour. Therefor the minlen is actually the minimum length of a passwords containing only lower-case letters. By default the user get one 'credit' for each type of character. Therefor the system might still accept a users password with less charaters then set in minlen if the user uses all types of characters. For example if you modify /etc/pam.d/system-auth:

password required pam_cracklib.so minlen=12 lcredit=1 ucredit=1 dcredit=2 ocredit=1
Now the system will accept a password with a lenght of total 8 characters as 1 'credit' is give for at least 1 lower-case character, 1 'credit' for at least 1 upper-case character, 1 'credit' for at least 2 digits and 1 'credit' for 1 other. You can however disable the 'credits' but force the use of mixing characters/digits with a minimum length. By using negative values for the 'credits' credits will not be given. For example if you modify /etc/pam.d/system-auth:
password required pam_cracklib.so minlen=8 lcredit=-1 ucredit=-1 dcredit=-2 ocredit=-1

the password have to be at least 8 characters of which at least 1 lower-case, 1 upper-case, 2 digits and 1 other.

These restrictions are not enforced for the root user.

 

 

Please login first before adding a comment.

Search






You are here: Home Howtos and FAQs Security Force strong passwords