Implementing strong password complexity rules is a critical step in securing any system, especially servers like those running on CentOS 7 and RHEL. Weak passwords are a common entry point for attackers. Enforcing complexity ensures users create passwords that are significantly harder to guess or crack.
The standard and most effective way to enforce password complexity on these systems is by leveraging Pluggable Authentication Modules (PAM). PAM is a powerful framework that separates authentication services from applications. The specific module responsible for password quality checks is pam_pwquality. This module is typically configured to run during the password change process.
The behavior of pam_pwquality is controlled through the configuration file located at /etc/security/pwquality.conf. This file contains various parameters that dictate the minimum requirements for new passwords. You will need root privileges to edit this file.
Inside /etc/security/pwquality.conf, you will find several settings you can adjust to define your complexity policy. Here are some of the most important ones:
- minlen: This parameter sets the minimum acceptable length for a new password. A higher number dramatically increases security.
- lcredit, ucredit, dcredit, ocredit: These parameters control the minimum number of required lowercase characters (lcredit), uppercase characters (ucredit), digits (dcredit), and other (special) characters (ocredit). The values are typically set as negative numbers, where, for example,
-1means at least one character of that type is required. Setting these ensures variety. - minclass: This sets the minimum number of character classes required. For example, setting minclass=3 might require a password to contain characters from at least three out of the four classes (lowercase, uppercase, digits, special).
- difok: This parameter specifies the minimum number of characters that must be different from the old password when a user changes it. This prevents users from making trivial changes to bypass policies.
- maxrepeat: This sets the maximum number of allowed consecutive identical characters. Preventing too many repeating characters makes brute-force guessing harder.
- Other parameters like
gecoscheck,reject_username, andmaxclassrepeatcan add further restrictions, such as disallowing dictionary words, the username, or too many consecutive characters of the same type.
After modifying /etc/security/pwquality.conf, the changes typically take effect immediately for new password changes. You do not usually need to restart system services related to authentication. To verify your settings, attempt to change a user’s password (passwd username) and try setting a password that violates the rules you configured. The system should reject it and inform you of the reason, confirming your complexity policy is active.
Properly configuring password complexity using pam_pwquality on CentOS 7 and RHEL is a fundamental security practice. By setting robust requirements for length, character classes, and differences from previous passwords, you significantly strengthen your system’s defenses against unauthorized access.
Source: https://kifarunix.com/enforce-password-complexity-policy-on-centos-7-rhel-derivatives/
