IBM Support

Enforce strong Linux passwords

Question & Answer


Question

How do you enforce strong passwords for Linux accounts?

Answer

If you've wanted to unlock the mystery of ways to apply more rules to password creation and aging, here are a few tips.

Password aging can be managed by updating the file /etc/login.defs. Specifically, there are three parameters to be concerned with.

  • PASS_MAX_DAYS (default 99999 days) specifies the maximum number of days a password is valid.
  • PASS_MIN_DAYS (default 0 days) specifies the minimum number of days before a user can change the password since the last change.
  • PASS_WARN_AGE (default 7 days) Number of days when the password change reminder starts.

These values are stored in the shadow table at user creation time. As a result, changing these parameters will not affect already existing accounts. To display or change aging characteristics for a particular account, use the 'chage' command.
  • chage -l user1 (displays characteristics for user1)
  • chage -M 60 user1 (changes the max days before a password must be changed for user1)

Applying rules for password creation can be accomplished using Linux Pluggable Authentication Modules (PAM). To set these restrictions, edit the /etc/pam.d/system-auth file. Find the entry for...

password requisite /lib/security/$ISA/pam_cracklib.so

and add the desired parameters. For example...

password requisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1

Parameter definitions
retry: number of invalid login attempts before disconnecting
minlen: minimum length of the password
lcredit: minimum number of lower case letters
ucredit: minimum number of upper case letters
dcredit: minimum number of digits
ocredit: minimum number of other characters (non alpha, non numeric)

Of course, before editing /etc/login.defs or /etc/pam.d/system-auth, make a copy of the original.

[{"Product":{"code":"SSULQD","label":"IBM PureData System"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":null,"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1.0.0","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Historical Number

NZ154859

Document Information

Modified date:
17 October 2019

UID

swg21571836

Page Feedback