How do I enforce a password complexity policy?
Password complexity is enforced by the pam_cracklib
module.
In order to modify the password policy for your local machine, you will need to modify your /etc/pam.d/common-password
file.
From a terminal window (Ctrl+Alt+T), enter the following command:
sudo -i gedit /etc/pam.d/common-password
Add the following line to the file (before pam_unix.so
or whichever PAM module is used primarily for authentication, as can be seen from examples in the manpage) and save the file:
password requisite pam_cracklib.so ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
This statement implements the following password requirements:
dcredit
== digitucredit
== upper-case characterlcredit
==lower-case characterocredit
== other character (special characters, including!
,
@
#
$
%
)
This should satisfy your requirements.
You could also use the variables minlength
and retries
to further restrict the password requirements.
Here is another good example of modifying a password policy in this manner would be placing the following line in the /etc/pam.d/common-password
file:
password requisite pam_cracklib.so retry=3 minlen=10 difok=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
This entry will set a maximum of three attempts at getting an acceptable password with a 10-character minimum length.
This sets the requirement for users to have a minimum of three characters different from the last password.
This will also fulfill the requirement of having the password contain at least one each of digit, lower-case character, and upper-case characters.
See also this article on setting up stronger password policy rules in linux.