What Do I Need?
- [tool]A Dedicated or VPS Linux Server[/tool]
- [tool]Ubuntu[/tool]
What are Secure Password Policies?
[openingText]Linux-based operating systems are amazing; however, they’re not the most secure by default and more configurations are required for a new web server installation in order to ensure it’s properly hardened and secure from bad actors. And all of this starts with making sure that users’ passwords are actually complex and not just the name of their cats. If users set weak passwords for their accounts, it becomes easy for hackers to brute-force and compromise them.[/openingText]
Something that really sucks is that when creating a local user on Linux, you can give it any password and it will accept – even the monumentally stupid but still popular choice of ‘password’.
- [stepName]Enforce Secure Password Policy on Ubuntu[/stepName][step]
- [howToDirection]Enforce user requirements to change the password every 30 days or less. By default, this is laughably set to 99999!
[stepImage]
sudo /etc/login.defs ... PASS_MAX_DAYS 30
[stepImage]
- [howToDirection]Let’s use the pwquality/pam_pwquality PAM module to set the default password requirements for the system passwords.
[/howToDirection][/step]
- [stepName]Install Prerequisites[/stepName][step]
- [howToDirection]Install lib-am-pwquality package on your Ubuntu server.
sudo apt-get -y install libpam-pwquality cracklib-runtime
[stepImage]
- [howToDirection]After the package installation, you’ll need to edit the /etc/pam.d/common-password file to set the password requirements:
sudo nano /etc/pam.d/common-password
[stepImage]
- [howToDirection]Find line 25, which should look something like this:
password requisite pam_pwquality.so retry=3
[/howToDirection]
- [howToDirection]Now change this to something a little more secure and useful:
password requisite pam_pwquality.so retry=3 minlen=12 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root
[stepImage]
- [howToDirection]So what do all these flags mean?
retry=3: Prompt a user two times before returning with an error. Keep this low as you don’t want someone continually hammering at the door.
minlen=12: The password length should be as long as practically possible as this hugely increases the time to decryption.
maxrepeat=3: Allow a maximum of 2 repeated characters in your password.
ucredit=-1: Require at least 1 uppercase character.
dcredit=-1: Must have at least 1 lowercase character.
dcredit=-1: Must have at least 1 number.
difok=3: The number of characters in the new password that must not have been present in the previous password.
gecoscheck=1: Words in the GECOS field of the user’s password entry aren’t contained in the new password.
reject_username: Rejects the password if it contains the name of the user in either straight or reversed form.
enforce_for_root: Enforce the password policy for the root user.[/howToDirection]
- [howToDirection]You can change this configuration to fit the security requirements of your particular use case; however, the one above is a good start.[/howToDirection]
- [howToDirection]Reboot your server:
sudo reboot
[/howToDirection]
- [howToDirection]You can then add a test user account to confirm that your password policy changes have taken effect:
sudo useradd test
[/howToDirection]
- [howToDirection]Try using a weak password:
sudo passwd test
[/howToDirection]
- [howToDirection]If you’ve set your password policy correctly, you’ll receive an error notification that that password is unsatisfactory.[/howToDirection][/step]
Next Steps
I’d recommend regularly checking for vulnerabilities in not just your web server but also your own security behavior. Are you someone who habitually uses the same password for everything? Now that you’re in charge of a web server, that has to come to an end.
Conclusion
As you’ve seen, enforcing an appropriately secure password policy is quite easy and serves as a great way of preventing users from setting weak passwords that may be able to either guess manually or brute force attack. By enforcing these policies you can finally rest assured that you’ve taken the first steps to properly fortifying your systems’ security and made it more difficult for bad actors and hackers to compromise you.
- You can discover new info about Best website hosting by clicking this link.
