How to Enable and Enforce Secure Password Policies on Ubuntu

How to Enable and Enforce Secure Password Policies on Ubuntu

What Do I Need?

  • A Dedicated or VPS Linux Server
  • Ubuntu

What are Secure Password Policies?

Linux-based operating systems are amazing; however, they’re not the most secure by default and more configurations are required for a new web server installation in order to ensure it’s properly hardened and secure from bad actors. And all of this starts with making sure that users’ passwords are actually complex and not just the name of their cats. If users set weak passwords for their accounts, it becomes easy for hackers to brute-force and compromise them.

Something that really sucks is that when creating a local user on Linux, you can give it any password and it will accept – even the monumentally stupid but still popular choice of ‘password’.

  1. Enforce Secure Password Policy on Ubuntu
  1. Enforce user requirements to change the password every 30 days or less. By default, this is laughably set to 99999!

How to Enable and Enforce Secure Password Policies on Ubuntu

sudo /etc/login.defs
PASS_MAX_DAYS        30

How to Enable and Enforce Secure Password Policies on Ubuntu

  1. Let’s use the pwquality/pam_pwquality PAM module to set the default password requirements for the system passwords.
  1. Install Prerequisites
  1. Install lib-am-pwquality package on your Ubuntu server.
sudo apt-get -y install libpam-pwquality cracklib-runtime

How to Enable and Enforce Secure Password Policies on Ubuntu

  1. After the package installation, you’ll need to edit the /etc/pam.d/common-password file to set the password requirements:
sudo nano /etc/pam.d/common-password

How to Enable and Enforce Secure Password Policies on Ubuntu

  1. Find line 25, which should look something like this:
password         requisite retry=3

  1. Now change this to something a little more secure and useful:
password         requisite retry=3 minlen=12 maxrepeat=3 ucredit=-1 
lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root

How to Enable and Enforce Secure Password Policies on Ubuntu

  1. So what do all these flags mean?

retry=3: Prompt a user two times before returning with an error. Keep this low as you don’t want someone continually hammering at the door.

minlen=12: The password length should be as long as practically possible as this hugely increases the time to decryption.

maxrepeat=3: Allow a maximum of 2 repeated characters in your password.

ucredit=-1: Require at least 1 uppercase character.

dcredit=-1: Must have at least 1 lowercase character.

dcredit=-1: Must have at least 1 number.

difok=3: The number of characters in the new password that must not have been present in the previous password.

gecoscheck=1: Words in the GECOS field of the user’s password entry aren’t contained in the new password.

reject_username: Rejects the password if it contains the name of the user in either straight or reversed form.

enforce_for_root: Enforce the password policy for the root user.

  1. You can change this configuration to fit the security requirements of your particular use case; however, the one above is a good start.
  2. Reboot your server:
sudo reboot

  1. You can then add a test user account to confirm that your password policy changes have taken effect:
sudo useradd test

  1. Try using a weak password:
sudo passwd test

  1. If you’ve set your password policy correctly, you’ll receive an error notification that that password is unsatisfactory.

Next Steps

I’d recommend regularly checking for vulnerabilities in not just your web server but also your own security behavior. Are you someone who habitually uses the same password for everything? Now that you’re in charge of a web server, that has to come to an end.


As you’ve seen, enforcing an appropriately secure password policy is quite easy and serves as a great way of preventing users from setting weak passwords that may be able to either guess manually or brute force attack. By enforcing these policies you can finally rest assured that you’ve taken the first steps to properly fortifying your systems’ security and made it more difficult for bad actors and hackers to compromise you.

How To Set up a VSFTPD Server on a CentOS 7 VPS or Dedicated Server

Brief Description FTP is usually insecure exposing clear-text passwords, userna
2 min read
Avi Ilinsky
Avi Ilinsky
Hosting Expert

How To Set up a VSFTPD Server on an Ubuntu 16.04 VPS or Dedicated Server

Brief Description FTP data is usually insecure since information (usernames, pa
2 min read
Eliran Ouzan
Eliran Ouzan
Web Designer & Hosting Expert

How to use phpMyAdmin to develop a website (without MySQL experience)

Brief description A web developer who is not well versed into coding websites f
2 min read
Idan Cohen
Idan Cohen
Marketing Expert

How to Install MySQL on a Windows Web Server Running Apache

This tutorial will show you how to install the MySQL database on a Windows serve
3 min read
Michael Levanduski
Michael Levanduski
Expert Hosting Writer & Tester provides professional web hosting reviews fully independent of any other entity. Our reviews are unbiased, honest, and apply the same evaluation standards to all those reviewed. While monetary compensation is received from a few of the companies listed on this site, compensation of services and products have no influence on the direction or conclusions of our reviews. Nor does the compensation influence our rankings for certain host companies. This compensation covers account purchasing costs, testing costs and royalties paid to reviewers.
Click to go to the top of the page
Go To Top