Enforce strong passwords in Debian

Outdated content

Published on 2011-03-17.

This tutorial explains how you can enforce a strong password for users on Debian.

On Linux the passwd command changes passwords for user accounts. A normal user may only change the password for his/her own account, while the superuser may change the password for any account. passwd also changes the account or associated password validity period.

passwd uses PAM (Pluggable Authentication Modules) to authenticate users and to change their passwords.

In order to enforce some stricter password rules you need to install the pam_cracklib package:

# apt-get install libpam-cracklib

Once installed you can setup the rules in /etc/pam.d/common-password

In the following example I have setup lines that require the user to select a password with a minimum length of 10 and with at least 4 numbers, 1 upper case letter, and 1 other character. The user is only given 1 opportunity to enter a strong password and the password can't contain the user name.

passwordrequisitepam_cracklib.so retry=1 dcredit=-4 ucredit=-1 ocredit=-1 lcredit=0 minlen=10 reject_username