libpam_ passwdqc is a PAM module that tests passwords to make sure they are not too weak during password change.
It adds additional password entropy assistance to the standard security system.
The cracklib module doesn't enforce password strength checking on the “root”.
To enforce password checking for all accounts including the root user the passwdqc PAM module can be used instead of cracklib module.
Create a PAM configuration file for passwdqc by issuing the following command:
sudo vi /usr/share/pam-configs/passwdqc
and populate it with the following:
Name: passwdqc password strength checking Default: yes Priority: 1024 Conflicts: cracklib [maybe?] Password-Type: Primary Password: requisite pam_passwdqc.so min=disabled,10,8,8,8 similar=deny enforce=users ask_oldauthtok check_oldauthtok
Now issue the command:
sudo pam-auth-update
and ensure that the passwdqc password strength checking is enabled.
WARNING: Enabling the PAM passwdqc module will disable the PAM cracklib module.
Issue the following command:
sudo vi /etc/pam.d/common-password
and populate it with the following:
password requisite pam_passwdqc.so min=disabled,10,8,8,8 max=40 similar=deny enforce=users ask_oldauthtok check_oldauthtok password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 # here's the fallback if no module succeeds password requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around password required pam_permit.so
By default, Ubuntu requires a minimum password length of 4 characters, as well as some basic entropy checks. These values are controlled in the file /etc/pam.d/common-password.
The pam_passwdqc manpage provides a lot of information, but the above essentially disallows passwords from any single character class, enforces a minimum length of 10 characters for a password from any two character classes, a minimum length of 8 characters for a passphrase, a minimum length of 8 characters for a password from any three character classes, and a minimum length of 8 characters from four character classes. The four character classes are made up of, digits, lower-case letters, upper-case letters, and other characters (such as '!' and '_') respectively. The above also enforces no passwords longer than 40 characters. The other options are clearly outlined in the pam_passwdqc man pages.
Each option can be customized to suit your environment. The above is actually less strict than the recommended default setting of “min=disabled,24,12,8,7” which can create some extremely difficult-to-crack passwords.
pam_passwdqc has no strange requirements, so even if your distribution does not provide it in packaged form, installing and compiling from source should cause no problems whatsoever.
The hashed passwords use a randomly generated salt.
password requisite pam_passwdqc.so min=disabled,12,8,6,5 max=40 passphrase=3 match=4 similar=deny random=42 enforce=everyone retry=3