One of the easiest ways to increase the security of your server is to ensure that each user’s password meets a certain minimum length. There are, of course, other considerations, such as a mix of uppercase and lowercase letters, numbers, and special characters. But the minimum password length is the main attribute. Each additional character in the password increases its strength exponentially. In this article, we’ll show you how to ensure a minimum password length for all your Linux users.
Step 1. Make sure you have administrator permissions
The changes we’ll be making require you to either be root or have “sudo” permissions. Getting sudo permissions is another discussion. But if you want to switch to root from any other user, just enter the following command:
su - root
Enter your root password. It’s worth noting that performing tasks while logged in as root is almost never a good idea. Get sudo permissions and do what you need to do!
Step 2: Check the existing minimum length
By default, your current password configuration should already have a minimum length. For our setup, this is 8 characters. You can check if any password is correct using the following command:
Press “Enter” and enter the password on the next line. For instance:
In the screenshot above, you can see that we have entered the password “1234567”. This does not match the minimum password length of 8, so we get an error message telling us. Of course, this password does not meet many other requirements. But the minimum length is the first check.
Step 3. Open the pwquality.conf file
All your password requirements are specified in the following file:
Along with the minimum length, it allows you to assign varying degrees of importance to the characteristics of your password. We’ll look at them a little later. For now, just open it with a text editor:
Now let’s set the minimum length
Step 4: Set the minimum password length
In a text editor, scroll down to the next line:
# minlen = 9
To change the minimum length, complete the following two tasks:
- Remove the hash character (#) from the beginning of the line
- Change the length to the desired length
- Change the following parameters to “0” and remove the hash (#) for them
So if you want the minimum length to be 10, change minlen and others as shown below:
Save the file.
Step 5: check the changes
Now when we use the “pwscore” command again, the new password length is entered. Here’s the proof:
In this screenshot we are using the password “qjtdysi7” – it is stronger than last time. Since we set “minlen” to 10, the minimum password length is now 9.
Step 6 (optional): configure other password options
In step 4, we disabled “credits”, which gives password dots for things like numbers, capital letters, and symbols other than the previous password. The default for these was “1”, which means that every time you use one of these symbols, a score is added to the length.
If we omit step 4, it allows users to bypass the minimum length using a combination of characters and numbers. So, for example, “minlen” of 9 can be overcome by the previous password:
Although it only has 8 characters, it contains numbers and lowercase letters. This increases the score to 10 and thus meets our password requirements.
You can set the “minlen” parameter to a larger number and give people additional password complexity. You can set various credits to a negative number to force a certain number of characters to be entered. The value “dcredit” -3 means that the password must be at least 3 digits.
The pwquality.conf file documents all of these parameters, and you can create password rules that are as complex as you like! But here we showed you how to get started with minimal length. You can take it from there!