# password policy 🔑

## Setting up basic password aging

1. **Edit login definitions:** First, we need to edit the login.defs file:

```sh
nano /etc/login.defs
```

2. **Modify password parameters:** Locate and change the following parameters:

> Change: `PASS_MAX_DAYS 99999` → `PASS_MAX_DAYS 30`

> Change: `PASS_MIN_DAYS 0` → `PASS_MIN_DAYS 2`

<figure><img src="/files/xC6GjTfRhIFALhAtN63q" alt=""><figcaption></figcaption></figure>

{% hint style="info" %} <mark style="color:green;">PASS\_MAX\_DAYS</mark>: Maximum number of days before password expires.

<mark style="color:green;">PASS\_MIN\_DAYS</mark>: Minimum number of days before password can be changed.

<mark style="color:green;">PASS\_WARN\_AGE</mark>: Number of days before password expiration to show warning.
{% endhint %}

## Installing password quality enforcement

3. **Install password quality library:** To enforce password quality rules, install the following package:

```sh
sudo apt install libpam-pwquality
```

Type `Y` when prompted to confirm and wait for the installation to complete.

<figure><img src="/files/Zj7b9HpZiHBEEWSuX6Q8" alt=""><figcaption></figcaption></figure>

## Configuring password complexity rules

4. **Edit PAM configuration:** Next, we need to edit the PAM (Pluggable Authentication Modules) configuration file:

```sh
nano /etc/pam.d/common-password
```

<figure><img src="/files/s1TivHIpLHYwvAWwscqC" alt=""><figcaption></figcaption></figure>

5. Below **retry=3** we must add the following commands:

```
minlen=10 ucredit=-1 dcredit=-1 lcredit=-1 maxrepeat=3 reject_username difok=7 enforce_for_root
```

This is how the line must be↙️

<figure><img src="/files/FBMDYu4anYgxHsM0eiYn" alt=""><figcaption></figcaption></figure>

This is how the file must look ↙️

<figure><img src="/files/Puds7feustVy8qLDwmds" alt=""><figcaption></figcaption></figure>

{% hint style="info" %} <mark style="color:green;">minlen=10</mark> ➤ The minimum characters a password must contain.

<mark style="color:green;">ucredit=-1</mark> ➤ The password must contain at least one capital letter. We must write it with a - sign, as this is how it knows that it refers to minimum characters; if we put a + sign it will refer to maximum characters.

<mark style="color:green;">dcredit=-1</mark> ➤ The password must contain at least one digit.

<mark style="color:green;">lcredit=-1</mark> ➤ The password must contain at least one lowercase letter.

<mark style="color:green;">maxrepeat=3</mark> ➤ The password cannot have the same character repeated three consecutive times.

<mark style="color:green;">reject\_username</mark> ➤ The password cannot contain the username within itself.

<mark style="color:green;">difok=7</mark> ➤ The password must contain at least seven different characters from the last password used.

<mark style="color:green;">enforce\_for\_root</mark> ➤ We will implement this password policy for root.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://noreply.gitbook.io/born2beroot/virtual-machine-setup/password-policy.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.