Enforce strong passwords in Debian
Outdated content
Published on 2011-03-17.
This tutorial explains how you can enforce a strong password for users on Debian.
On Linux the passwd
command changes passwords for user accounts. A normal user may only change the password for his/her own account, while the superuser may change the password for any account. passwd
also changes the account or associated password validity period.
passwd
uses PAM (Pluggable Authentication Modules) to authenticate users and to change their passwords.
In order to enforce some stricter password rules you need to install the pam_cracklib
package:
# apt-get install libpam-cracklib
Once installed you can setup the rules in /etc/pam.d/common-password
In the following example I have setup lines that require the user to select a password with a minimum length of 10 and with at least 4 numbers, 1 upper case letter, and 1 other character. The user is only given 1 opportunity to enter a strong password and the password can't contain the user name.
passwordrequisitepam_cracklib.so retry=1 dcredit=-4 ucredit=-1 ocredit=-1 lcredit=0 minlen=10 reject_username