How to Enforce Strong Password Policies on Ubuntu: A Step-by-Step Guide
In today’s digital landscape, securing your Ubuntu server is not just a best practice—it’s a necessity. One of the most common vulnerabilities exploited by attackers is weak or easily guessable user passwords. Brute-force and dictionary attacks can quickly compromise a system that doesn’t enforce strong password requirements.
Fortunately, Ubuntu provides a powerful and flexible tool to lock down this critical security layer. By implementing a robust password complexity policy, you can significantly reduce your server’s attack surface. This guide will walk you through the process of setting up and enforcing these rules using Ubuntu’s built-in Pluggable Authentication Modules (PAM).
The Key to Password Security: pam_pwquality
The core of password policy enforcement on modern Linux systems, including Ubuntu, is a module called pam_pwquality. This module integrates with the system’s authentication framework to check the quality of new passwords against a set of rules you define. When a user tries to set a new password, pam_pwquality intercepts the request and either approves it or rejects it with a helpful message explaining why.
Let’s get your server secured.
Step 1: Install the pwquality Library
While the necessary components are often included in a standard server installation, it’s always best to ensure the libpam-pwquality package is installed. This library contains the tools and configuration files we need.
Open your terminal and run the following command:
sudo apt update && sudo apt install libpam-pwquality
This command first updates your package list and then installs the library, ensuring you’re ready for the next step.
Step 2: Configure Your Password Complexity Rules
The heart of your password policy resides in a single configuration file: /etc/security/pwquality.conf. This is where you will define the specific requirements for all new passwords on the system.
You can edit this file using your preferred command-line editor, such as nano or vim:
sudo nano /etc/security/pwquality.conf
Inside this file, you’ll find several options that can be uncommented and modified. The most important settings are explained below. A negative value for credit-based settings makes that character class mandatory.
minlen = 8: This is the minimum password length. A value of 12 or 14 is highly recommended for modern security standards.dcredit = -1: This setting controls the requirement for digits (0-9). A value of -1 means a password must contain at least one digit.ucredit = -1: This controls the requirement for uppercase letters (A-Z). A value of -1 means a password must contain at least one uppercase letter.lcredit = -1: This controls the requirement for lowercase letters (a-z). A value of -1 means a password must contain at least one lowercase letter.ocredit = -1: This controls the requirement for special characters (e.g.,!@#$%^&*). A value of -1 means a password must contain at least one special character.difok = 3: This sets the number of characters in the new password that must be different from the old password. This prevents users from making trivial changes like changing “Password123!” to “Password124!”.usercheck = 1: A critical security setting that prevents the password from containing the username in any form (forward or reversed). Keep this enabled.retry = 3: Specifies how many times a user can attempt to enter a valid new password before the process fails.
Example Secure Configuration
For a strong baseline policy, you can use the following settings in your /etc/security/pwquality.conf file:
# Enforce a minimum length of 12 characters
minlen = 12
# Require at least one digit
dcredit = -1
# Require at least one uppercase letter
ucredit = -1
# Require at least one lowercase letter
lcredit = -1
# Require at least one special character
ocredit = -1
# Ensure new passwords are not similar to old ones
difok = 4
After modifying the file, save your changes and exit the editor.
Step 3: Verify PAM Integration
The libpam-pwquality installation typically configures the necessary PAM files for you, but it’s wise to verify. The critical file is /etc/pam.d/common-password. This file tells the system to use the pam_pwquality.so module during password changes.
You can check its contents with cat or grep:
grep "pam_pwquality.so" /etc/pam.d/common-password
You should see a line that looks similar to this:
password requisite pam_pwquality.so retry=3
The word requisite ensures that if this module’s checks fail (i.e., the password is too weak), the entire process stops, and the user is prompted to try again. If this line is present, your system is correctly configured to use the rules you defined in pwquality.conf.
Step 4: Test Your New Password Policy
The best way to confirm everything is working is to test it. You can do this by changing the password for an existing user or creating a new test user.
Let’s try changing a user’s password. Replace your_username with an actual user on your system:
sudo passwd your_username
Now, deliberately try to set a password that violates your new policy. For example, if you set minlen = 12, try setting the password to “weak”.
The system should immediately reject it and provide feedback, such as:
The password is too short
BAD PASSWORD: it is shorter than 12 characters
Next, try setting a password that meets all your criteria (e.g., “S3cureP@ssw0rd!2024”). The system should accept it without any errors.
A Foundational Security Improvement
By taking a few minutes to configure pam_pwquality, you have implemented a fundamental and highly effective security control on your Ubuntu server. Enforcing strong passwords is your first line of defense against automated attacks and a cornerstone of a comprehensive security posture. This simple change ensures that user accounts, a primary target for attackers, are significantly harder to compromise.
Source: https://kifarunix.com/enforce-password-complexity-policy-on-ubuntu-18-04/
