How to Setup Strong Password Policy on Ubuntu 18.04 | 16.04

This brief tutorial shows students and new users how to setup a strong password policy on Ubuntu 18.04 | 16.04.

Out of the box, Ubuntu machines are not setup with advanced password policy. Any password, including weak ones can be used and never expire. This may not be secure in some environment.

In order to configure a more secure password policy and protect you users from hackers and intrusions, you will need to take some steps, and this post shows you how to do that.

Student or new user looking for a Linux system to start learning on, the easiest place to start is Ubuntu Linux OS…. It’s a great Linux operating system for beginners and folks looking for easier Linux distribution to use..

Ubuntu is an open source Linux operating systems that runs on desktops, laptops, server and other devices.

When you’re ready to setup strong password policy on Ubuntu, follow the steps below:

Step 1: Ensure Passwords Expire

In most business environments, user passwords are configured to expire every 60 to 90 days. Desktop users are not configured like business environments and that’s why a single password can be used forever.

If you want to configure Ubuntu to force users to change password regularly, you can run the commands below to open the login.defs file.

sudo nano /etc/login.defs

For example, if you want account password to be changed every 60 days, and number of days before it days before it changes again, edit the highlighted lines in the file.

You can also set number of days warning are given before a password expires.

# Password aging controls:
#
#       PASS_MAX_DAYS   Maximum number of days a password may be used.
#       PASS_MIN_DAYS   Minimum number of days allowed between password changes.
#       PASS_WARN_AGE   Number of days warning given before a password expires.
#
PASS_MAX_DAYS   60
PASS_MIN_DAYS   1
PASS_WARN_AGE   7
......................

Save the file and exit.

Step 2: Configure PAM Password Module

There is a PAM module called pam_pwquality that can be included with Ubuntu to require strong passwords for system users. pam_pwquality performs a number of basic checks, just like the old pam_cracklib module, including not allowing password to including username from the GECOS field, reject password with more then N number of characters, and many other password related checks.

To install and use pam_pwquality module, run the commands below:

sudo apt install libpam-pwquality cracklib-runtime

pam_pwquality main configuration file is at /etc/pam.d/common-password. Run the commands below to edit the file.

sudo nano /etc/pam.d/common-password

A good password requirement will follow similar guidelines.

  • Allow N number of retries before returning error [retry=3]
  • Set a minimal password length [minlen=8]
  • Set N number of repeated characters [maxrepeat =3]
  • Password must have uppercase characters [ucredit = -1]
  • Password must have lowercase characters [dcredit=-1]
  • Reject password with account name found in GECOS [gecoscheck=1]

Edit the highlighted line and add some of the requirements above to enforce.

# here are the per-package modules (the "Primary" block)
password        requisite                       pam_pwquality.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root

password        [success=1 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512
# here's the fallback if no module succeeds
password        requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around

Make the above changes that fit your environment. When done, reboot your machine and the changes above should apply.

That’s it!

Conclusion:

This post showed you how to setup a strong password policy on Ubuntu 18.04 | 16.04. If you find errors in the above, please use the form below to report.

Thanks,

You may also like the post below:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.