- 1 Vapor IO Brings OpenDCRE to General Availability
- 2 VMware Takes the Wraps Off vRealize Automation and vRealize Business
- 3 Microsoft Previews Hyper-V Containers for Windows Server 2016
- 4 Mirantis Led FUEL Project Gets Installed Under OpenStack Big Tent
- 5 Red Hat Enterprise Linux 7.2 Adds Security, DR Features
Setting Password Policy With PAM
The PAM module pam_cracklib can enforce both length and complexity. For length, it uses the minlen option. For complexity, it has options dcredit, ucredit, lcredit, and ocredit, which refer to digit, upper-case character, lower-case character, and other character, respectively. A value of -1 for one of these means "require one character of this type," and a value of 1 means "give 1 credit for this type." The credit system involves giving "length credits" for using non-lowercase characters (so you can have a shorter password than the minimum length if it uses non-lowercase characters), but this can be confusing for users, so it may be best to just require certain types of character.
Try the following line in /etc/pam.d/common-password in Debian-type distros or /etc/pam.d/system-auth in RedHat-type distros:
password requisite pam_cracklib.so retry=3 minlen=10 difok=3 dcredit=-1 ucredit=-1 lcredit=-1
» Cracking Passwords
» Aliases and Variables Keep Things Short and Simple
Read All Tips of the Trade
Finally, to make all your users change their passwords regularly, edit the /etc/login.defs file to set the PASS_MAX_DAYS variable to the maximum time allowed before changing a password. This affects only new accounts; use the command chage to affect existing users.