A strong password is one of the most important elements of a strong secure Information and communication technology (ICT) infrastructure.
A good password should be able to withstand, or at least make it hard for a malicious person to guess, carry out a brute force or a dictionary attack.
Nowadays with increased cloud hosted infrastructure, remote access to clients or servers is common through SSH/RDP. This requires you to have a strong password to avoid unauthorised access to critical data. A good password should:
- Be at least 8 characters long.
- Contain at least one uppercase character.
- Contain at least one lowercase character.
- Contain at least one number
- Contain at least one special character.
Before you Start
- A VPS or Dedicated Server running Ubuntu 18.04.
- A non-root user configured with sudo privileges.
Update System Packages
$ sudo apt update -y && sudo apt upgrade -y
Install pam_cracklib Package
This is a library that serves to check entered passwords against a system dictionary in order to force compliance. It measures the strength and based on results, it may accept or reject the password to help avoid entering weak passwords.
$ sudo apt install -y libpam-pwquality
Configurations made against a password may include the set maximum days a password may “live” before you are prompted to change it. This setting recides in the /etc/login.defs file
$ sudo vim /etc/login.defs
From line160, you may decide to use the number of days set below or one that is most appropriate to you.
Set the maximum number of days a password can be used in the PASS_MAX_DAYS line.
Set the minimum number of days a password should be used before another change is made (PASS_MIN_DAYS).
Set the number of days you should be warned before the password expires (PASS_WARN_AGE).
PASS_MAX_DAYS 30 PASS_MIN_DAYS 0 PASS_WARN_AGE 7
Set the minimum number of characters in a password.
The default number of characters in an Ubuntu 18.04 OS is 6. You may change this under the common-password file under the /etc/pam.d folder.
$ sudo vim /etc/pam.d/common-password
Set the minimum password length online25
password requisite pam_pwquality.so retry=3 minlen=9
Set the minimum number of times a single password should not be repeated after change on line26
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 remember=5
As discussed in the introduction, we need to ensure the properties are enforced while entering a new password; uppercase characters, lowercase characters, digits and special characters. We will enforce at least 3 properties for a password strength test criteria online25.
password requisite pam_pwquality.so retry=3 minclass=2
Other settings that may be appended at the endof line 25 include:
To confirm your password policy implementation, try changing the password.
$ passwdChanging password for linuxuser. (current) UNIX password: New password: BAD PASSWORD: The password is shorter than 8 characters New password:
You have successfully changed your password policy checks. It cannot be stressed enough how a good password policy development and implementation is. Alternatively, you may change the password policy for a single user by using the sudo chage USERNAME command while replacing the USERNAME with your appropriate one. You will follow the subsequent prompts and confirm with the sudo chage -l USERNAME command.