Installing and configuring pwquality
We'll be using the pwquality module for PAM (Pluggable Authentication Module). This is a newer technology that has replaced the old cracklib module. On a Red Hat 7 or CentOS 7 system, pwquality is installed by default, even if you do a minimal installation. If you cd into the /etc/pam.d directory, you can do a grep operation to see that the PAM configuration files are already set up. The retry=3 means that a user will only have three tries to get the password right when logging into the system:
[donnie@localhost pam.d]$ grep 'pwquality' *
password-auth:password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password-auth-ac:password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
system-auth:password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
system-auth-ac:password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
[donnie@localhost pam.d]$
For your Ubuntu system, you'll need to install pwquality yourself. You'll do that with the command:
sudo apt install libpam-pwquality
We'll now cd into the /etc/pam.d directory and perform the same grep command that we did before. We'll see that installing the libpam-pwquality modules automatically updates the PAM configuration files:
donnie@packt:/etc/pam.d$ grep 'pwquality' *
common-password:password requisite pam_pwquality.so retry=3
donnie@packt:/etc/pam.d$
The rest of the procedure is the same for both operating systems and consists of just editing the /etc/security/pwquality.conf file. When you open this file in your text editor, you'll see that everything is commented out, which means that no password complexity criteria are in effect. You'll also see that it's very well-documented because every setting has its own explanatory comment.
You can set password complexity criteria however you want just by uncommenting the appropriate lines and setting the proper values. Let's take a look at just one setting:
# Minimum acceptable size for the new password (plus one if
# credits are not disabled which is the default). (See pam_cracklib manual.)
# Cannot be set to lower value than 6.
# minlen = 8
The minimum length setting works on a credit system. This means that for every different type of character class in the password, the minimum required password length will be reduced by one character. For example, let's set the minlen to a value of 19 and try to assign Katelyn the password, turkeylips:
minlen = 19
[donnie@localhost ~]$ sudo passwd katelyn
Changing password for user katelyn.
New password:
BAD PASSWORD: The password is shorter than 18 characters
Retype new password:
[donnie@localhost ~]$
Because the lowercase characters in turkeylips count as credit for one type of character class, we're only required to have 18 characters instead of 19. If we try this again with TurkeyLips, we'll get:
[donnie@localhost ~]$ sudo passwd katelyn
Changing password for user katelyn.
New password:
BAD PASSWORD: The password is shorter than 17 characters
Retype new password:
[donnie@localhost ~]$
This time, the uppercase T and uppercase L count as a second character class, so we only need to have 17 characters in the password.
Just below the minlen line, you'll see the credit lines. Let's say that you don't want lowercase letters to count toward your credits. You would find this line:
# lcredit = 1
Also, you would change the 1 to a 0:
lcredit = 0
Then, try assigning Katelyn turkeylips as a password:
[donnie@localhost ~]$ sudo passwd katelyn
Changing password for user katelyn.
New password:
BAD PASSWORD: The password is shorter than 19 characters
Retype new password:
[donnie@localhost ~]$
This time, the pwquality really does want 19 characters. If we set a credit value to something higher than one, we would get credit for multiple characters of the same class type up to that value.
We can also set the credit values to negative numbers in order to require a certain number of characters types in a password. We have the following example:
dcredit = -3
This would require at least three digits in a password. However, it's a really a bad idea to use this feature because someone who's doing a password attack would soon find the patterns that you require, which would help the attacker to more precisely direct the attack. If you need to require that a password has multiple character types, it would be better to use the minclass parameter:
# minclass = 3
It's already set to a value of three, which would require characters from three different classes. To use this value, all you have to do is to remove the comment symbol.
The rest of the parameters in pwquality.conf work pretty much the same way, and each one has a well-written comment to explain what it does.
If you use your sudo privilege to set someone else's password, the system will complain if you create a password that doesn't meet complexity criteria, but it will let you do it. If a normal user were to try to change his or her own password without sudo privileges, the system would not allow a password that doesn't meet complexity criteria.