Password policy
Configure password creation requirements
Enforce the use of strong passwords to protect systems against brute-force attacks, which involve guessing password combinations.
To set password creation requirements:
-
In the /etc/security/pwquality.conf file, add or modify the following line for password length:
minlen = 14
-
In the /etc/security/pwquality.conf file, add or modify the following line for password complexity:
minclass = 4
-
Run the following script to update the system-auth and password-auth files:
CP=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/) for FN in system-auth password-auth; do [[ -n $CP ]] && PTF=/etc/authselect/$CP/$FN || PTF=/etc/authselect/$FN [[ -z $(grep -E '^\s*password\s+requisite\s+pam_pwquality.so\s+.*enforce-for-root\s*.*$' $PTF) ]] && sed -ri 's/^\s*(password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1\2 enforce-for-root/' $PTF [[ -n $(grep -E '^\s*password\s+requisite\s+pam_pwquality.so\s+.*\s+retry=\S+\s*.*$' $PTF) ]] && sed -ri '/pwquality/s/retry=\S+/retry=3/' $PTF || sed -ri 's/^\s*(password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1\2 retry=3/' $PTF done authselect apply-changes
Limit password reuse
Enforce a policy preventing users from reusing their last five passwords. This ensures that compromised credentials cannot be reused and applies only to local system accounts.
To configure remembered password history, run the following script that will add or modify the pam_pwhistory.so and pam_unix.so lines to include the remember option:
CP=$(authselect current | awk "NR == 1 {print $3}" | grep custom/) [[ -n $CP ]] && PTF=/etc/authselect/$CP/system-auth || PTF=/etc/authselect/system-auth [[ -n $(grep -E "^\s*password\s+(sufficient\s+pam_unix|requi(red|site)\s+pam_pwhistory).so\s+ ([^#]+\s+)*remember=\S+\s*.*$" $PTF) ]] && sed -ri "s/^\s*(password\s+(requisite|sufficient)\s+(pam_pwquality\.so|pam_unix\.so)\s+)(.*)(remember=\S+\s*)(.*)$/\1\4 remember=5 \6/" $PTF || sed -ri "s/^\s*(password\s+(requisite|sufficient)\s+(pam_pwquality\.so|pam_unix\.so)\s+)(.*)$/\1\4 remember=5/" $PTF authselect apply-changes
Set password expiration to 90 days or less
Limit the maximum password age to enforce regular credential updates. Shorter expiration periods reduce the time compromised passwords remain valid.
To change the number of days a password is active before it expires:
-
In /etc/login.defs, set the
PASS_MAX_DAYSparameter to 90 days:PASS_MAX_DAYS 90
Note that changes made to /etc/login.defs affect only new users.
-
For existing users, modify user password expiration by running:
# chage --maxdays 90 <user>
Set minimum days between password changes to 7 or more
Restrict frequent password changes to prevent users from cycling through old credentials, ensuring adherence to password history policies.
To change the number of days a password must be active before it can be changed by a user:
-
In /etc/login.defs, set the
PASS_MIN_DAYSparameter to 7:PASS_MIN_DAYS 7
Note that changes made to /etc/login.defs affect only new users.
-
For existing users, modify minimum days between password changes by running:
# chage --mindays 7 <user>
Set inactive password lock to 30 days or less
Disable inactive accounts as they pose a security risk. In certain situations, without monitoring login attempts or any anomalies, such accounts become a prime target for attackers who are willing to gain undetected or unauthorised access.
To change the number of days of inactivity after a password has expired before the account is locked:
-
Set the default password inactivity period to 30 days:
# useradd -D -f 30
Note that changes made by
useraddaffect only new users. -
For existing users, modify the number of days of inactivity by running:
# chage --inactive 30 <user>