Hello folks. Today, we are going to learn how to enforce password complexity policy on Ubuntu 18.04. As you realize, the traditional way of using passwords is still the major method of authenticating to various services. As a result, it is a good idea for every system admin to ensure that strong password policy is enforced since it is always the first line of defense security wise.
Enforce Password Complexity Policy On Ubuntu 18.04
In this guide, we are going to learn how to use the Pluggable Authentication Module (PAM) to enforce password complexity policy on Ubuntu 18.04. PAM is an authentication and security framework that is used to set authentication policies for specific applications/services in Linux system. Note that any error in PAM configuration may completely disable access to a system service. Hence, be sure on the configs.
Are you also looking at protecting single user mode with password on Ubuntu 18? See our previous article on how to by following the link below;
Install PAM on Ubuntu 18.04
In order to enforce password complexity policy on Ubuntu 18.04, you need to have
pam_pwquality module that is provided by the
libpam_pwquality library. This module checks the strength of the password against a system dictionary and a set of rules for identifying poor choices. It replaces the
libpam_cracklib module. Run the command below to verify if PAM pwquality library is installed on Ubuntu 18.04;
apt-cache policy *pam-pwquality*
libpam-pwquality: Installed: (none) Candidate: 1.4.0-2 Version table: 1.4.0-2 500 500 http://ke.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
As you can see from the output above, no PAM pwquality library is installed. Hence, if it is not installed, you can install it as shown below;
apt install libpam-pwquality
Now that we have the right module in place, let us see how to enforce password complexity policy on Ubuntu 18.04 with
pam_pwquality module. To enforce password complexity policy on Ubuntu 18.04, you need to edit the
/etc/pam.d/common-password configuration file. However, make a copy of this file before you make any adjustments.
cp /etc/pam.d/common-password /etc/pam.d/common-password.original
There are different options that can be passed to the
pam_pwquality to enforce password complexity policy on Ubuntu 18.04. Some of the options that we are going to use in this guide include
Once you have made the backup of the
/etc/pam.d/common-password configuration file, open it for editing. Find the line below;
password requisite pam_pwquality.so retry=3
Comment it and replace with the line below;
password requisite pam_pwquality.so retry=3 minlen=8 difok=3 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 reject_username enforce_for_root
Below is a description of the options used;
retry=3: This options sets a number of times you are prompted to enter a right password before the returning an error. This is set to 3 in this case.
minlen=8: Sets the minimum acceptable size for the new password.
difok=3: Specifies the number of characters that should be similar to the characters in the previous password.
lcredit=-1: Sets the minimum number of lower case letters that the password should contain.
ucredit=-1: Sets the minimum number of upper case letters on a password.
dcredit=-1: Sets the minimum number of digits to be contained in a password.
ocredit=-1: Set the minimum number of other symbols such as @, #, ! $ % etc on a password.
reject_username: Rejects the password if contains the name of the user in either straight or reversed form.
enforce_for_root: Ensures that even if it is the root user that is setting the password, the complexity policies should be enforced. This option is off by default which means that just the message about the failed check is printed but root can change the password anyway.
Note that when setting the password credits, the negative number sets the minimum value while the positive number sets the maximum values.
If you need to see more options for enforcing password complexity, run
Test the Password Complexity enforcement
To test this, as a user amos, am going to try 3 password that doesn’t meet the requirements above (At least 8 characters, a digit, a lower case, a symbol and an upper case letter).
amos@ubuntu18:~$ passwd Changing password for amos. (current) UNIX password: New password: BAD PASSWORD: The password is too similar to the old one New password: BAD PASSWORD: The password contains less than 1 digits New password: BAD PASSWORD: The password contains less than 1 non-alphanumeric characters passwd: Have exhausted maximum number of retries for service passwd: password unchanged
Next, am going to use a more complex password that meets the above defined policy:
amos@ubuntu18:~$ passwd Changing password for amos. (current) UNIX password: amos123 New password:
P@ssword1Retype new password:
P@ssword1passwd: password updated successfully
Test the password change as
root@ubuntu18:~# passwd amos New password: BAD PASSWORD: The password contains less than 1 uppercase letters New password: BAD PASSWORD: The password contains less than 1 digits New password: BAD PASSWORD: The password contains less than 1 non-alphanumeric characters passwd: Have exhausted maximum number of retries for service passwd: password unchanged
root@ubuntu18:~# passwd amos New password: H@cker123 Retype new password: H@cker123 passwd: password updated successfully
That is it. That is all it takes to enforce password complexity policy on Ubuntu 18.04. We hope this was informative. Enjoy