> ## Documentation Index
> Fetch the complete documentation index at: https://mintlify.com/imthenachoman/How-To-Secure-A-Linux-Server/llms.txt
> Use this file to discover all available pages before exploring further.

# Force Accounts to Use Secure Passwords

> Enforce strong password requirements using PAM and pwquality

## Why This Matters

By default, accounts can use any password they want, including weak ones like "password123" or "admin". This creates a significant security vulnerability.

**pwquality** (via pam\_pwquality) provides "a way to configure the default password quality requirements for the system passwords" and checks "its strength against a system dictionary and a set of rules for identifying poor choices."

## How It Works

On Linux, **PAM** (Pluggable Authentication Modules) is responsible for authentication. When an account needs to set or change a password, PAM's password task handles the request.

We'll configure PAM to pass all new passwords through libpam-pwquality to verify they meet our security requirements. If the password meets the requirements, it's accepted; otherwise, the user gets an error and must choose a stronger password.

## Installation and Configuration

<Steps>
  <Step title="Install libpam-pwquality">
    On Debian based systems:

    ```bash theme={null}
    sudo apt install libpam-pwquality
    ```
  </Step>

  <Step title="Backup PAM configuration">
    Create a backup of PAM's password configuration:

    ```bash theme={null}
    sudo cp --archive /etc/pam.d/common-password /etc/pam.d/common-password-COPY-$(date +"%Y%m%d%H%M%S")
    ```
  </Step>

  <Step title="Configure password requirements">
    Edit `/etc/pam.d/common-password` and find the line that starts with:

    ```
    password        requisite                       pam_pwquality.so
    ```

    Change it to:

    ```
    password        requisite                       pam_pwquality.so retry=3 minlen=10 difok=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 maxrepeat=3 gecoschec
    ```

    Or use this command:

    ```bash theme={null}
    sudo sed -i -r -e "s/^(password\s+requisite\s+pam_pwquality.so)(.*)$/# \1\2\n\1 retry=3 minlen=10 difok=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 maxrepeat=3 gecoschec/" /etc/pam.d/common-password
    ```
  </Step>
</Steps>

## Password Requirements Explained

Here's what each option in the configuration means:

| Option      | Value | Description                                                           |
| ----------- | ----- | --------------------------------------------------------------------- |
| `retry`     | 3     | Prompt user 3 times before returning with error                       |
| `minlen`    | 10    | Minimum password length (after credits/debits)                        |
| `difok`     | 3     | At least 3 characters must be different from old password             |
| `ucredit`   | -1    | Must have at least **one uppercase letter** (negative means required) |
| `lcredit`   | -1    | Must have at least **one lowercase letter**                           |
| `dcredit`   | -1    | Must have at least **one digit**                                      |
| `ocredit`   | -1    | Must have at least **one non-alphanumeric character**                 |
| `maxrepeat` | 3     | Maximum of 3 repeated characters allowed                              |
| `gecoschec` | -     | Do not allow passwords containing the account's name                  |

<Info>
  **Credit System**: Positive credit values give "credit" that reduces the minimum length requirement. Negative credit values **require** that character type.

  For example:

  * `ucredit=1` means each uppercase letter reduces minlen by 1
  * `ucredit=-1` means at least one uppercase letter is **required**
</Info>

## Password Examples

### These passwords would be REJECTED:

* `password` - too short, no uppercase, no digit, no special character
* `Password1` - no special character
* `Pass@123` - too short (only 8 characters)
* `Johndoe@123` - contains username (if username is "johndoe")
* `Passssword@1` - too many repeated characters (s)

### These passwords would be ACCEPTED:

* `MyP@ssw0rd!` - 11 characters, mixed case, digit, special character
* `S3cur3#Pass` - 11 characters, all requirements met
* `C0mpl3x!ty` - 10 characters, all requirements met

## Testing Password Requirements

You can test the password requirements without changing any account passwords:

```bash theme={null}
pwscore
```

Type a potential password and press Enter. It will score the password strength:

* Score 0-49: Weak
* Score 50-79: Medium
* Score 80-100: Strong

## Customizing Requirements

You can adjust the requirements to match your security policy. For example:

**More Strict**:

```
retry=3 minlen=14 difok=5 ucredit=-2 lcredit=-2 dcredit=-2 ocredit=-2 maxrepeat=2 gecoschec
```

**Less Strict**:

```
retry=3 minlen=8 difok=2 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 maxrepeat=4 gecoschec
```

<Warning>
  Make sure at least one account already has a strong password that meets these requirements before enforcing them, or you may lock yourself out when passwords expire.
</Warning>

## What This Does

With password quality requirements enforced:

* Users cannot set weak passwords
* All new passwords must meet complexity requirements
* Password changes are validated against security rules
* Brute-force attacks become exponentially harder
* Compliance requirements are met

## Additional Security

Consider combining this with:

* Password expiration policies (in `/etc/login.defs`)
* Password history (prevent reusing old passwords)
* Account lockout policies (with faillock or pam\_tally2)
* Two-factor authentication for SSH