Documentation Index
Fetch the complete documentation index at: https://mintlify.com/imthenachoman/How-To-Secure-A-Linux-Server/llms.txt
Use this file to discover all available pages before exploring further.
Why This Matters
By default, accounts can use any password they want, including weak ones like “password123” or “admin”. This creates a significant security vulnerability. pwquality (via pam_pwquality) provides “a way to configure the default password quality requirements for the system passwords” and checks “its strength against a system dictionary and a set of rules for identifying poor choices.”How It Works
On Linux, PAM (Pluggable Authentication Modules) is responsible for authentication. When an account needs to set or change a password, PAM’s password task handles the request. We’ll configure PAM to pass all new passwords through libpam-pwquality to verify they meet our security requirements. If the password meets the requirements, it’s accepted; otherwise, the user gets an error and must choose a stronger password.Installation and Configuration
Password Requirements Explained
Here’s what each option in the configuration means:| Option | Value | Description |
|---|---|---|
retry | 3 | Prompt user 3 times before returning with error |
minlen | 10 | Minimum password length (after credits/debits) |
difok | 3 | At least 3 characters must be different from old password |
ucredit | -1 | Must have at least one uppercase letter (negative means required) |
lcredit | -1 | Must have at least one lowercase letter |
dcredit | -1 | Must have at least one digit |
ocredit | -1 | Must have at least one non-alphanumeric character |
maxrepeat | 3 | Maximum of 3 repeated characters allowed |
gecoschec | - | Do not allow passwords containing the account’s name |
Credit System: Positive credit values give “credit” that reduces the minimum length requirement. Negative credit values require that character type.For example:
ucredit=1means each uppercase letter reduces minlen by 1ucredit=-1means at least one uppercase letter is required
Password Examples
These passwords would be REJECTED:
password- too short, no uppercase, no digit, no special characterPassword1- no special characterPass@123- too short (only 8 characters)Johndoe@123- contains username (if username is “johndoe”)Passssword@1- too many repeated characters (s)
These passwords would be ACCEPTED:
MyP@ssw0rd!- 11 characters, mixed case, digit, special characterS3cur3#Pass- 11 characters, all requirements metC0mpl3x!ty- 10 characters, all requirements met
Testing Password Requirements
You can test the password requirements without changing any account passwords:- Score 0-49: Weak
- Score 50-79: Medium
- Score 80-100: Strong
Customizing Requirements
You can adjust the requirements to match your security policy. For example: More Strict:What This Does
With password quality requirements enforced:- Users cannot set weak passwords
- All new passwords must meet complexity requirements
- Password changes are validated against security rules
- Brute-force attacks become exponentially harder
- Compliance requirements are met
Additional Security
Consider combining this with:- Password expiration policies (in
/etc/login.defs) - Password history (prevent reusing old passwords)
- Account lockout policies (with faillock or pam_tally2)
- Two-factor authentication for SSH