Security Utilities

How to enable and enforce secure password policies on Ubuntu

Secure passwords are the first line of defense against unauthorized access whether it is your personal computer or the server in your organization. However, some employees do not take it seriously and keep using insecure and easy to guess passwords which make their systems compromised. Therefore, it becomes critical for system administrators to enforce a secure password policy for users. In addition, it’s important to change the password after a certain period of time.

In this article, we will learn how to enable and enforce secure password policies on Ubuntu. Also we will discuss how to set a policy that enforce users to change their password at regular interval.

Note that we have explained the procedure on Ubuntu 18.04 LTS system.

A strong password should contain:

  • Upper case letters
  • Lower case letters
  • Digits
  • Symbols

To enforce a secure password policy in Ubuntu, we will use the pwquality module of PAM. To install this module, launch the Terminal by using Ctrl+Alt+T shortcut. Then run this command in Terminal:

$ sudo apt install libpam-pwquality

When prompted for the password, enter the sudo password.

Now first copy “/etc/pam.d/common-password” file before configuring any changes.

And then edit it for configuring password policies:

$ sudo nano /etc/pam.d/common-password

Look for the following line:

Password   requisite   pam_pwquality.so retry=3

And replace it with the following:

password        requisite
pam_pwquality.so retry=4 minlen=9 difok=4 lcredit=-2 ucredit=-2 dcredit=
-1 ocredit=-1 reject_username enforce_for_root

Let’s see what the parameters in above command mean:

  • retry: No. of consecutive times a user can enter an incorrect password.
  • minlen: Minimum length of password
  • difok: No. of character that can be similar to the old password
  • lcredit: Min No. of lowercase letters
  • ucredit: Min No. of uppercase letters
  • dcredit: Min No. of digits
  • ocredit: Min No. of symbols
  • reject_username: Rejects the password containing the user name
  • enforce_for_root: Also enforce the policy for the root user

Now reboot the system to apply the changes in the password policy.

$ sudo reboot

Test the secure password policy

After configuring the secure password policy, it’s better to verify whether it is working or not. To verify it, set a simple password that does not fulfill the above configured secure password policy requirements. We will check it on a test user.

Run this command to add a user:

$ sudo useradd  testuser

Then set a password.

$ sudo passwd testuser

Now try to enter a password that does not include:·

  • Uppercase letter
  • Digit
  • Symbol

You can see none of the above-tried passwords has accepted, as they do not meet the minimum criteria defined by the password policy.

Now try adding a complex password that meets the criteria defined by the password policy (Total length: 8 with Minimum:1 uppercase letter, 1 lowercase letter, 1 digit and 1 symbol). Let’s say: Abc.89*jpl.

You can see that the password has now accepted.

Configure password expiration period

Changing the password at regular interval helps limits the period of unauthorized use of passwords. Password expiration policy can be configured through “/etc/login.defs” file.Run this command to edit this file:

$ sudo nano /etc/login.defs

Add the following lines with values as per your requirements.

PASS_MAX_DAYS 120PASS_MIN_DAYS 0PASS_WARN_AGE 8

Note that the above-configured policy will only apply on the newly created users. To apply this policy to an existing user, use “chage” command.

To use chage command, syntax is:

$ chage [options] username

Note: To execute the chage command, you must be the owner of the account or have root privilege otherwise, you will not be able to view or modify the expiry policy.

To view the current password expiry/aging details, the command is:

$ sudo chage –l username

To configure the maximum No. of days after which a user should change the password.

$ sudo chage -M <No./_of_days> <user_name>

To configure the minimum No. of days required between the change of password.

$ sudo chage -m <No._of_days> <user_name>

To configure warning prior to password expiration:

$ sudo chage -W <No._of_days> <user_name>

That is all there is to it! Having a policy that enforces users to use secure passwords and change them regularly after some interval is necessary to ensure system safety and security. For more information regarding the tools discussed in this article, such as pam_pwquality and Chage, see their man pages.

About the author

Karim Buzdar

Karim Buzdar

Karim Buzdar holds a degree in telecommunication engineering and holds several sysadmin certifications. As an IT engineer and technical author, he writes for various web sites. He blogs at LinuxWays.