Installing and configuring pwquality
We'll be using the pwquality module for the Pluggable Authentication Module (PAM). This is a newer technology that has replaced the old cracklib module. On a Red Hat 7/8 or CentOS 7/8 system, pwquality is installed by default, even if you do a minimal installation. If you cd into the /etc/pam.d directory, you can do a grep operation to see that the PAM configuration files are already set up. retry=3 means that a user will only have three tries to get the password right when logging in to the system:
[donnie@localhost pam.d]$ grep 'pwquality' *
password-auth:password requisite pam_pwquality.so try_first_pass
local_users_only retry=3 authtok_type=
password-auth-ac:password requisite pam_pwquality.so try_first_pass
local_users_only retry=3 authtok_type=
system-auth:password requisite pam_pwquality.so try_first_pass
local_users_only retry=3 authtok_type=
system-auth-ac:password requisite pam_pwquality.so try_first_pass
local_users_only retry=3 authtok_type=
[donnie@localhost pam.d]$
The rest of the procedure is the same for both operating systems and consists of just editing the /etc/security/pwquality.conf file. When you open this file in your text editor, you'll see that everything is commented out, which means that no password complexity criteria are in effect. You'll also see that it's very well documented because every setting has its own explanatory comment.
You can set password complexity criteria however you want just by uncommenting the appropriate lines and setting the appropriate values. Let's take a look at just one setting:
# Minimum acceptable size for the new password (plus one if
# credits are not disabled which is the default). (See pam_cracklib manual.)
# Cannot be set to lower value than 6.
# minlen = 8
The minimum length setting works on a credit system. This means that for every different type of character class in the password, the minimum required password length will be reduced by one character. For example, let's set minlen to a value of 19 and try to assign Katelyn the password turkeylips:
minlen = 19
[donnie@localhost ~]$ sudo passwd katelyn
Changing password for user katelyn.
New password:
BAD PASSWORD: The password is shorter than 18 characters
Retype new password:
[donnie@localhost ~]$
Because the lowercase characters in turkeylips count as credit for one type of character class, we're only required to have 18 characters instead of 19. If we try this again with TurkeyLips, we'll get:
[donnie@localhost ~]$ sudo passwd katelyn
Changing password for user katelyn.
New password:
BAD PASSWORD: The password is shorter than 17 characters
Retype new password:
[donnie@localhost ~]$
This time, the uppercase T and uppercase L count as a second character class, so we only need to have 17 characters in the password.
Just below the minlen line, you'll see the credit lines. Let's say that you don't want lowercase letters to count toward your credits. You would find this line:
# lcredit = 1
Uncomment it, and change the 1 to a 0:
lcredit = 0
Then, try assigning Katelyn turkeylips as a password:
[donnie@localhost ~]$ sudo passwd katelyn
Changing password for user katelyn.
New password:
BAD PASSWORD: The password is shorter than 19 characters
Retype new password:
[donnie@localhost ~]$
This time, the pwquality really does want 19 characters. If we set a credit value to something higher than 1, we would get credit for multiple characters of the same class type up to that value.
We can also set the credit values to negative numbers in order to require a certain number of characters types in a password. For example, we could have this:
dcredit = -3
This would require at least three digits in a password. However, it's a really bad idea to use this feature, because someone who's doing a password attack would soon find the patterns that you require, which would help the attacker to more precisely direct the attack. If you need to require that a password has multiple character types, it would be better to use the minclass parameter:
# minclass = 3
It's already set to a value of 3, which would require characters from three different classes. To use this value, all you have to do is to remove the comment symbol.
The rest of the parameters in pwquality.conf work pretty much the same way, and each one has a well-written comment to explain what it does.