I need to configure an Ubuntu server to follow a strict company password policy that specifies the following:
- at least one upper case
- at least one lower case
- at least one digit
- at least one special character
I've had a look around and all I have found is the instructions for specifying the password length; but, I have yet to find something that relates to specifying the content of the password regarding the above points.
Any help would be appreciated.
Password complexity is enforced by the
pam_cracklibmodule.In order to modify the password policy for your local machine, you will need to modify your
/etc/pam.d/common-passwordfile.From a terminal window (Ctrl+Alt+T), enter the following command:
Add the following line to the file (before
pam_unix.soor whichever PAM module is used primarily for authentication, as can be seen from examples in the manpage) and save the file:This statement implements the following password requirements:
dcredit== digitucredit== upper-case characterlcredit==lower-case characterocredit== other character (special characters, including!,@#$%)This should satisfy your requirements.
You could also use the variables
minlengthandretriesto further restrict the password requirements.Here is another good example of modifying a password policy in this manner would be placing the following line in the
/etc/pam.d/common-passwordfile:This entry will set a maximum of three attempts at getting an acceptable password with a 10-character minimum length.
This sets the requirement for users to have a minimum of three characters different from the last password.
This will also fulfill the requirement of having the password contain at least one each of digit, lower-case character, and upper-case characters.
See also this article on setting up stronger password policy rules in linux.
There's a fork of pam_cracklib by Tomas Mraz: pam_pwquality with slightly better options.
Add it with
apt install libpam-pwqualityor passwd will complain: