Learn 9 different account password policies in Linux. Understand how to view them, how to change them and what is their impact on user management.
User management is one of the important aspects of Linux system administration. Restricting unauthorized access to systems can be prohibited by implementing strong password policies on accounts. That’s why this is a mandatory task in system hardening.
In this post, we will be seeing below nine different password policies that can be implemented in Linux.
- Password Max days
- Password Min days
- Password warning days
- Password history depth
- Password minimum length
- Minimum upper case characters
- Minimum lower case characters
- Minimum digits in password
- Wrong password retry
In the above list first 3 parameters are password aging-related whereas rest decides password strength.
1. Password Max days
This parameter decides how many days the maximum a password can be used. Once account password ages for these many days, it’s mandatory for the user to change his/her account password. This forbids users from using the same password for a long duration. In short, this is a maximum number of days password is valid on the system. This value can be set under file /etc/login.defs against parameter PASS_MAX_DAYS as shown below:
# cat /etc/login.defs
----- file clipped -----
# PASS_MAX_DAYS Maximum number of days a password may be used.
PASS_MAX_DAYS 90
----- file clipped -----
File parameter values affect only newly created accounts after the file has been edited. But for existing accounts, you need to change this value manually by using chage command with -M option. You can check the current set value by using -l option.
# chage -l user4
----- output clipped -----
Maximum number of days between password change : 30
Number of days of warning before password expires : 7
# chage -M 45 user4
# chage -l user4
----- output clipped -----
Maximum number of days between password change : 45
Number of days of warning before password expires : 7
Observe in the above example, max days for an existing account have been changed from 30 to 45 days using chage command.
2. Password min days
These attributes control a minimum number of days before a password can be changed. This forbids users from changing passwords too frequently. For example, if this parameter is set to 7 days & user changed password today. Then he will be able to change it again only after 7 days from now. This value can be set under file /etc/login.defs against parameter PASS_MIN_DAYS as shown below:
# cat /etc/login.defs
----- file clipped -----
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
PASS_MIN_DAYS 1
----- file clipped -----
File parameter values affect only newly created accounts after the file has been edited. But for existing accounts, you need to change this value manually by using chage command with -M option.
# chage -l user4
----- output clipped -----
Minimum number of days between password change : 3
# chage -m 1 user4
# chage -l user4
----- output clipped -----
Minimum number of days between password change : 1
3. Password warning days
This attribute controls a number of days before the password expires, the user starts seeing a warning about password change after login. This gives sysadmins a chance to educate and made aware of their system users about password expiry. So that users can change their password well before its expiry time. This is not really adding any security to the system but helping users to avoid unwanted service impacts due to password expiry. Its value can be defined under /etc/login.defs file against PASS_WARN_AGE parameter.
# cat /etc/login.defs
----- file clipped -----
# PASS_WARN_AGE Number of days warning given before a password expires.
PASS_WARN_AGE 7
----- file clipped -----
Same as the last two parameters, this file parameter values affect only newly created accounts after the file has been edited. But for existing accounts, you need to change this value manually by using chage command with -W option.
# chage -l user4
----- output clipped -----
Number of days of warning before password expires : 7
# chage -W 10 user4
# chage -l user4
----- output clipped -----
Number of days of warning before password expires : 10
4. Password history depth
When the user sets a new password, it will be checked against historical passwords. If the user tries to set the same old password then the system will forbid the user to use that password. This password history depth is defined by this attribute. If it is set to 3 then the user won’t be able to use any password which matches his last 3 passwords used.
This depth can be set in /etc/pam.d/system-auth file against the remember parameter.
# cat /etc/pam.d/system-auth |grep -i pass
----- file clipped -----
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=2
----- file clipped -----
In the above example, the last 2 passwords will be kept in history to check against the new one since remember is set to 2.
5. Password minimum length
Minimum characters needed in the password are defined by this attribute. This ensures the enforcement of strong passwords to be used by users. It can be defined in /etc/pam.d/system-auth file against minlen parameter.
# cat /etc/pam.d/system-auth |grep -i pass
----- file clipped -----
password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 dcredit=-1 ucredit=-1 lcredit=-1
----- file clipped -----
This will be used whenever a new password is being set.
6. Minimum upper case characters
Another password strengthening attribute like the previous one. This ensures the enforcement of the use of uppercase characters in the password. It can be defined in /etc/pam.d/system-auth file against ucredit parameter.
Example in point 5.
7. Minimum lower case characters
This ensures the enforcement of the use of lowercase characters in the password. It can be defined in /etc/pam.d/system-auth file against lcredit parameter.
Example in point 5.
8. Minimum digits in password
This ensures the enforcement of the use of digits in passwords. It can be defined in /etc/pam.d/system-auth file against dcredit parameter.
Example in point 5.
9. Wrong password retry
This is a number of tries users get to try passwords without locking the account. As universally accepted, this is always set to be 3. Its value can be defined in retry parameter in /etc/pam.d/system-auth file.
Example in point 5.
Please make a note that all the above configurations files are taken into account from the RHEL flavor. If you have any questions, queries, suggestions, corrections please let us know in comments.