How to ensure password quality in Linux

One of the easiest ways to increase the security of your server is to ensure that each user’s password meets a certain minimum length. There are, of course, other considerations, such as a mix of uppercase and lowercase letters, numbers, and special characters. But the minimum password length is the main attribute. Each additional character in the password increases its strength exponentially. In this article, we’ll show you how to ensure a minimum password length for all your Linux users.

Step 1. Make sure you have administrator permissions

The changes we’ll be making require you to either be root or have “sudo” permissions. Getting sudo permissions is another discussion. But if you want to switch to root from any other user, just enter the following command:

su - root

Enter your root password. It’s worth noting that performing tasks while logged in as root is almost never a good idea. Get sudo permissions and do what you need to do!

Step 2: Check the existing minimum length

By default, your current password configuration should already have a minimum length. For our setup, this is 8 characters. You can check if any password is correct using the following command:

pwscore

Press “Enter” and enter the password on the next line. For instance:

In the screenshot above, you can see that we have entered the password “1234567”. This does not match the minimum password length of 8, so we get an error message telling us. Of course, this password does not meet many other requirements. But the minimum length is the first check.

Step 3. Open the pwquality.conf file

All your password requirements are specified in the following file:

/etc/security/pwquality.conf

Along with the minimum length, it allows you to assign varying degrees of importance to the characteristics of your password. We’ll look at them a little later. For now, just open it with a text editor:

vi /etc/security/pwquality.conf

Now let’s set the minimum length

Step 4: Set the minimum password length

In a text editor, scroll down to the next line:

# minlen = 9

How to ensure password quality in Linux

To change the minimum length, complete the following two tasks:

  1. Remove the hash character (#) from the beginning of the line
  2. Change the length to the desired length
  3. Change the following parameters to “0” and remove the hash (#) for them
    1. dcredit
    2. ucredit
    3. lcredit
    4. ocredit

So if you want the minimum length to be 10, change minlen and others as shown below:

How to ensure password quality in Linux

Save the file.

Step 5: check the changes

Now when we use the “pwscore” command again, the new password length is entered. Here’s the proof:

How to ensure password quality in Linux

In this screenshot we are using the password “qjtdysi7” – it is stronger than last time. Since we set “minlen” to 10, the minimum password length is now 9.

Step 6 (optional): configure other password options

In step 4, we disabled “credits”, which gives password dots for things like numbers, capital letters, and symbols other than the previous password. The default for these was “1”, which means that every time you use one of these symbols, a score is added to the length.

If we omit step 4, it allows users to bypass the minimum length using a combination of characters and numbers. So, for example, “minlen” of 9 can be overcome by the previous password:

qjtdysi7

Although it only has 8 characters, it contains numbers and lowercase letters. This increases the score to 10 and thus meets our password requirements.

You can set the “minlen” parameter to a larger number and give people additional password complexity. You can set various credits to a negative number to force a certain number of characters to be entered. The value “dcredit” -3 means that the password must be at least 3 digits.

The pwquality.conf file documents all of these parameters, and you can create password rules that are as complex as you like! But here we showed you how to get started with minimal length. You can take it from there!

Related Posts