How Do I Install a PAM and Set a Proper Password Complexity Policy in a Linux OS?

Installing a PAM

Your password complexity policy cannot be checked if no pluggable authentication module (PAM) is running in your system.

For Debian or Ubuntu, run the apt-get install libpam-cracklib command as the administrator to install a PAM.

A PAM is installed and running by default in CentOS, Fedora, and EulerOS.

Setting a Password Complexity Policy

A proper password complexity policy would be: eight characters for the length of a password and at least three types of the following characters used: uppercase letters, lowercase letters, digits, and special characters.

The preceding configurations are basic security requirements. For more security configurations, run the following commands to obtain help information in Linux OSs:

For CentOS, Fedora, and EulerOS based on Red Hat 7.0, run:
man pam_pwquality

For other Linux OSs, run:
man pam_cracklib

CentOS, Fedora, and EulerOS

Run the following command to edit the /etc/pam.d/system-auth file:
vi /etc/pam.d/system-auth
Find the following information in the file:
- For CentOS, Fedora, and EulerOS based on Red Hat 7.0:
  password requisite pam_pwquality.so try_first_pass retry=3 type=
- For other CentOS, Fedora, and EulerOS systems:
  password requisite pam_cracklib.so try_first_pass retry=3 type=

Add the following parameters and their values: minlen, dcredit, ucredit, lcredit, and ocredit. If the file already has these parameters, change their values. For details, see Table 1.

Example:

password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 type=

Set dcredit, ucredit, lcredit, and ocredit to negative numbers.

**Table 1** Parameter description
Parameter	Description	Example
minlen	Minimum length of a password. A PAM uses credits by default. As a result, the minimum password length is one plus. For example, if you want the minimum length to be seven, set the minlen value to 8.	minlen=8
dcredit	Number of digits A negative value (for example, -N) indicates the number (for example, N) of digits required in a password. A positive value indicates that there is no limit.	dcredit=-1
ucredit	Number of uppercase letters A negative value (for example, -N) indicates the number (for example, N) of uppercase letters required in a password. A positive value indicates that there is no limit.	ucredit=-1
lcredit	Number of lowercase letters A negative value (for example, -N) indicates the number (for example, N) of lowercase letters required in a password. A positive value indicates that there is no limit.	lcredit=-1
ocredit	Number of special characters A negative value (for example, -N) indicates the number (for example, N) of special characters required in a password. A positive value indicates that there is no limit.	ocredit=-1

Debian and Ubuntu
1. Run the following command to edit the /etc/pam.d/common-password file:
  vi /etc/pam.d/common-password
2. Find the following information in the file:
  password requisite pam_cracklib.so retry=3 minlen=8 difok=3
3. Add the following parameters and their values: minlen, dcredit, ucredit, lcredit, and ocredit. If the file already has these parameters, change their values. For details, see Table 1.
  Example:
  
  password requisite pam_cracklib.so retry=3 minlen=8 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 difok=3

Parent topic: Unsafe Settings

Unsafe Settings FAQs

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with GUI

Incorrect steps

Lack of examples

Missing parameter descriptions

Unclear descriptions

Function issues

Other

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot

more