How to Enforce Password Quality on Ubuntu 18.04 VPS or Dedicated Server


A strong password is one of the most important elements of a strong secure Information and communication technology (ICT) infrastructure.

A good password should be able to withstand, or at least make it hard for a malicious person to guess, carry out a brute force or a dictionary attack.

Nowadays with increased cloud hosted infrastructure, remote access to clients or servers is common through SSH/RDP. This requires you to have a strong password to avoid unauthorised access to critical data. A good password should:

  • Be at least 8 characters long.
  • Contain at least one uppercase character.
  • Contain at least one lowercase character.
  • Contain at least one number
  • Contain at least one special character.

Before you Start

  • A VPS or Dedicated Server running Ubuntu 18.04.
  • A non-root user configured with sudo privileges.


Update System Packages

$ sudo apt update -y && sudo apt upgrade -y

Install pam_cracklib Package

This is a library that serves to check entered passwords against a system dictionary in order to force compliance. It measures the strength and based on results, it may accept or reject the password to help avoid entering weak passwords.

$ sudo apt install -y libpam-pwquality

Configurations made against a password may include the set maximum days a password may “live” before you are prompted to change it. This setting recides in the /etc/login.defs file

$ sudo vim /etc/login.defs

From line160, you may decide to use the number of days set below or one that is most appropriate to you.

Set the maximum number of days a password can be used in the PASS_MAX_DAYS line.

Set the minimum number of days a password should be used before another change is made (PASS_MIN_DAYS).

Set the number of days you should be warned before the password expires (PASS_WARN_AGE).


Set the minimum number of characters in a password.

The default number of characters in an Ubuntu 18.04 OS is 6. You may change this under the common-password file under the /etc/pam.d folder.

$ sudo vim /etc/pam.d/common-password

Set the minimum password length online25

password        requisite retry=3 minlen=9

Set the minimum number of times a single password should not be repeated after change on line26

 password        [success=1 default=ignore] obscure use_authtok try_first_pass sha512 remember=5

As discussed in the introduction, we need to ensure the properties are enforced while entering a new password; uppercase characters, lowercase characters, digits and special characters. We will enforce at least 3 properties for a password strength test criteria online25.

password        requisite retry=3 minclass=2

Other settings that may be appended at the endof line 25 include:


To confirm your password policy implementation, try changing the password.

$ passwdChanging password for linuxuser.
(current) UNIX password: 
New password: 
BAD PASSWORD: The password is shorter than 8 characters
New password:


You have successfully changed your password policy checks. It cannot be stressed enough how a good password policy development and implementation is. Alternatively, you may change the password policy for a single user by using the sudo chage USERNAME command while replacing the USERNAME with your appropriate one. You will follow the subsequent prompts and confirm with the sudo chage -l USERNAME command.

Check out these top 3 Best web hosting services

Was this article helpful?