How to Enforce Password Quality in Linux

One of the easiest ways to improve the security of your server is to ensure that everyone’s password meets a certain minimum length. There are, of course, other considerations like the mix of small and capital letters, numbers, and special characters. But a minimum password length gives you the most “bang for the buck”. Each additional character in a password increases its strength exponentially. In this article, we’ll show you how to enforce a minimum password length for all your users in Linux.

Step 1: Ensure that you Have Administrator Permissions

The changes we’ll be making require you to either be root or have “sudo” permissions. Getting sudo permissions is another discussion altogether. But if you want to switch to root from any other user, just type the following command:

su - root

Enter your root password and you’re good to go. It’s worth mentioning that performing tasks while logged in as root is almost never a good idea. Get sudo permissions and do what you need to do from there!

Step 2: Checking the Existing Minimum Length

By default, your current password configuration should already have a minimum length set up. For our installation, this is 8 characters. You can check the validity of any password using the following command:

pwscore

Hit “Enter” and type your password into the blank line that follows. For example:

Enforce Password Quality in Linux

In the screenshot above, you can see we’ve entered the password “1234567”. This falls short of the minimum password length of 8, so we get an error message informing us. Of course, this password falls short of many other requirements too. But the minimum length is the first to be checked.

Step 3: Open the pwquality.conf File

All your password requirements are specified in the following file:

/etc/security/pwquality.conf

Along with the minimum length, it allows you to assign various degrees of importance to the characteristics of your password. We’ll take a look at those a bit later. For now, just open it using a text editor:

vi /etc/security/pwquality.conf

Now let’s set the minimum length

Step 4: Set the Minimum Password Length

In the text editor, scroll down till you see this line:

# minlen = 9
Password Quality in Linux

To change the minimum length, do these two things:

  1. Remove the hash (#) character from the beginning of the line
  2. Change the length to your desired length
  3. Change the following parameters to “0” and Remove the hash (#) for them as well
    1. dcredit
    2. ucredit
    3. lcredit
    4. ocredit

So if you want the minimum length to be 10, change minlen and the others as shown here:

 Enforce Password Quality Linux

Save the file.

Step 5: Verify the Changes

Now when we use the “pwscore” command again, the new password length is enforced. Here’s proof:

How to Enforce Password Quality Linux

In this screenshot, we use the password ” qjtdysi7″ – one more than last time. Since we’ve set “minlen” to 10, the minimum password length is now 9.

Step 6 (Optional): Configure Other Password Parameters

In Step 4, we’ve disabled “credits”, which gives passwords points for things like digits, capital letters, and characters different from the previous password. The default for those was “1”, which means that each time you use one of these characters, the score is added to the length.

If we omit Step 4, that it allows users to bypass the minimum length by using a mix of characters and digits. So for example, a “minlen” of 9 could be overcome by the previous password:

qjtdysi7

While this has only 8 characters, it contains a digit and lowercase alphabets. Which increases the score to 10 and thus meets our password requirements.

You can adjust the “minlen” parameter to a higher number and give people additional points password complexity. You can set the various credits to a negative number to force that specific amount of characters. Do a “dcredit” value of -3 means that the password must have at least 3 digits.

The “pwquality.conf” file documents all these parameters, and you can create password rules that are as complex as you like! But here we show you how to get started with a minimum length. You can take it from there!


You don’t have to enforceĀ  password quality on your Linux machine if you are one of our Managed Linux VPS Hosting clients, in which case you can simply ask our technical support to enforce your Linux password for you. They are available 24/7 and will take care of it asap.