Enforce strong passwords in Debian

Posted on 17.03.2011 by Kim N. Lesmer.
This tutorial explains how you can enforce a strong password for users on Debian.

On Linux the passwd command changes passwords for user accounts. A normal user may only change the password for his/her own account, while the superuser may change the password for any account. passwd also changes the account or associated password validity period.

passwd uses PAM (Pluggable Authentication Modules) to authenticate users and to change their passwords.

In order to enforce some stricter password rules you need to install the pam_cracklib package:

# apt-get install libpam-cracklib

Once installed you can setup the rules in /etc/pam.d/common-password

In the following example I have setup lines that require the user to select a password with a minimum length of 10 and with at least 4 digit numbers, 1 upper case letter, and 1 other character. The user is only given 1 opportunity to enter a strong password and the password can't contain the user name.

passwordrequisitepam_cracklib.so \
retry=1 dcredit=-4 ucredit=-1 ocredit=-1 \
lcredit=0 minlen=10 reject_username

You can read about the specific options for pam_cracklib in the documentation here: (http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_cracklib.html)

If you have any comments or corrections feel free to email them to me.