{"id":2400,"date":"2019-03-21T20:06:57","date_gmt":"2019-03-21T17:06:57","guid":{"rendered":"http:\/\/kifarunix.com\/?p=2400"},"modified":"2019-03-23T08:34:47","modified_gmt":"2019-03-23T05:34:47","slug":"enforce-password-complexity-policy-on-ubuntu-18-04","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/enforce-password-complexity-policy-on-ubuntu-18-04\/","title":{"rendered":"Enforce Password Complexity Policy On Ubuntu 18.04"},"content":{"rendered":"<p>Hello folks. Today, we are going to learn how to enforce password complexity policy on Ubuntu 18.04. As you realize, the traditional way of using passwords is still the major method of authenticating to various services. As a result, it is a good idea for every system admin to ensure that strong password policy is enforced since it is always the first line of defense security wise.<\/p>\n<h2>Enforce Password Complexity Policy On Ubuntu 18.04<\/h2>\n<p>In this guide, we are going to learn how to use the Pluggable Authentication Module (PAM) to enforce password complexity policy on Ubuntu 18.04. PAM is an authentication and security framework that is used to set authentication policies for specific applications\/services in Linux system. Note that any error in PAM configuration may completely disable access to a system service. Hence, be sure on the configs.<\/p>\n<p>Are you also looking at protecting single user mode with password on Ubuntu 18? See our previous article on how to by following the link below;<\/p>\n<ul>\n<li><a href=\"https:\/\/kifarunix.com\/how-to-protect-single-user-mode-with-password-in-ubuntu-18-04\/\" target=\"_blank\" rel=\"noopener\">How to Protect Single User Mode with Password in Ubuntu 18.04<\/a><\/li>\n<\/ul>\n<h3>Install PAM on Ubuntu 18.04<\/h3>\n<p>In order to enforce password complexity policy on Ubuntu 18.04, you need to have <code>pam_pwquality<\/code> module that is provided by the <code>libpam_pwquality<\/code> library. This module checks the strength of the password against a system dictionary and a set of rules for identifying poor choices. It replaces the <code>libpam_cracklib<\/code> module. Run the command below to verify if PAM pwquality library is installed on Ubuntu 18.04;<\/p>\n<pre>apt-cache policy *pam-pwquality*<\/code><\/pre>\n<pre>libpam-pwquality:\r\n  Installed: (none)\r\n  Candidate: 1.4.0-2\r\n  Version table:\r\n     1.4.0-2 500\r\n        500 http:\/\/ke.archive.ubuntu.com\/ubuntu bionic\/main amd64 Packages<\/code><\/pre>\n<p>As you can see from the output above, no PAM pwquality library is installed. Hence, if it is not installed, you can install it as shown below;<\/p>\n<pre>apt install libpam-pwquality<\/code><\/pre>\n<p>Now that we have the right module in place, let us see how to enforce password complexity policy on Ubuntu 18.04 with <code>pam_pwquality<\/code> module. To enforce password complexity policy on Ubuntu 18.04, you need to edit the <code>\/etc\/pam.d\/common-password<\/code> configuration file. However, make a copy of this file before you make any adjustments.<\/p>\n<pre>cp \/etc\/pam.d\/common-password \/etc\/pam.d\/common-password.original<\/code><\/pre>\n<p>There are different options that can be passed to the <code>pam_pwquality<\/code> to enforce password complexity policy on Ubuntu 18.04. Some of the options that we are going to use in this guide include <code><strong>dcredit<\/strong><\/code>, <code><strong>ucredit<\/strong><\/code>, <strong><code>lcredit<\/code><\/strong>, <code><strong>ocredit<\/strong><\/code>, <code><strong>minlen<\/strong><\/code>, <code><strong>reject_username<\/strong><\/code>, <code><strong>enforce_for_root<\/strong><\/code>, <code><strong>retry<\/strong><\/code>.<\/p>\n<p>Once you have made the backup of the <code>\/etc\/pam.d\/common-password<\/code> configuration file, open it for editing. Find the line below;<\/p>\n<pre>password        requisite                       pam_pwquality.so retry=3<\/code><\/pre>\n<p>Comment it and replace with the line below;<\/p>\n<pre><strong>password        requisite                       pam_pwquality.so retry=3 minlen=8 difok=3 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 reject_username enforce_for_root<\/strong><\/code><\/pre>\n<p>Below is a description of the options used;<\/p>\n<p><code>retry=3<\/code>: This options sets a number of times you are prompted to enter a right password before the returning an error. This is set to 3 in this case.<br \/>\n<code><strong>minlen=8<\/strong><\/code>: Sets the minimum acceptable size for the new password.<br \/>\n<code><strong>difok=3<\/strong><\/code>: Specifies the number of characters that should be similar to the characters in the previous password.<br \/>\n<code><strong>lcredit=-1<\/strong><\/code>: Sets the minimum number of lower case letters that the password should contain.<br \/>\n<code><strong>ucredit=-1<\/strong><\/code>: Sets the minimum number of upper case letters on a password.<br \/>\n<code><strong>dcredit=-1<\/strong><\/code>: Sets the\u00a0minimum number of digits to be contained in a password.<br \/>\n<code><strong>ocredit=-1<\/strong><\/code>: Set the minimum number of other symbols such as @, #, ! $ % etc on a password.<br \/>\n<code><strong>reject_username<\/strong><\/code>: Rejects the password if contains the name of the user in either straight or reversed form.<br \/>\n<code><strong>enforce_for_root<\/strong><\/code>: Ensures that even if it is the root user that is setting the password, the complexity policies should be enforced. This option is off by default which means that just the message about the failed check is printed but root can change the password anyway.<\/p>\n<p>Note that when setting the password credits, the negative number sets the minimum value while the positive number sets the maximum values.<\/p>\n<p>If you need to see more options for enforcing password complexity, run <code>man pam_pwquality<\/code>.<\/p>\n<h3>Test the Password Complexity enforcement<\/h3>\n<p>To test this, as a user amos, am going to try 3 password that doesn&#8217;t meet the requirements above (At least 8 characters, a digit, a lower case, a symbol and an upper case letter).<\/p>\n<pre>amos@ubuntu18:~$ passwd\r\nChanging password for amos.\r\n(current) UNIX password: \r\nNew password: \r\nBAD PASSWORD: The password is too similar to the old one\r\nNew password: \r\nBAD PASSWORD: The password contains less than 1 digits\r\nNew password: \r\nBAD PASSWORD: The password contains less than 1 non-alphanumeric characters\r\npasswd: Have exhausted maximum number of retries for service\r\npasswd: password unchanged<\/code><\/pre>\n<p>Next, am going to use a more complex password that meets the above defined policy: <code>P@ssword1<\/code>.<\/p>\n<pre>amos@ubuntu18:~$ passwd\r\nChanging password for amos.\r\n(current) UNIX password: amos123\r\nNew password: <code>P@ssword1<\/code> Retype new password: <code>P@ssword1<\/code> passwd: password updated successfully<\/code><\/pre>\n<p>Test the password change as <code>root<\/code> user.<\/p>\n<pre>root@ubuntu18:~# passwd amos\r\nNew password: \r\nBAD PASSWORD: The password contains less than 1 uppercase letters\r\nNew password: \r\nBAD PASSWORD: The password contains less than 1 digits\r\nNew password: \r\nBAD PASSWORD: The password contains less than 1 non-alphanumeric characters\r\npasswd: Have exhausted maximum number of retries for service\r\npasswd: password unchanged<\/code><\/pre>\n<pre>root@ubuntu18:~# passwd amos\r\nNew password: H@cker123\r\nRetype new password: H@cker123\r\npasswd: password updated successfully<\/code><\/pre>\n<p>That is it. That is all it takes to enforce password complexity policy on Ubuntu 18.04. We hope this was informative. Enjoy<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hello folks. Today, we are going to learn how to enforce password complexity policy on Ubuntu 18.04. As you realize, the traditional way of using<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[352,34],"tags":[354,356,353,67],"class_list":["post-2400","post","type-post","status-publish","format-standard","hentry","category-password-policies","category-security","tag-pam","tag-pam_pwquality","tag-password-complexity","tag-ubuntu-18-04","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2400"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=2400"}],"version-history":[{"count":5,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2400\/revisions"}],"predecessor-version":[{"id":2413,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2400\/revisions\/2413"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=2400"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=2400"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=2400"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}