🔑password policy 🔑

Setting up basic password aging

1. Edit login definitions: First, we need to edit the login.defs file:

nano /etc/login.defs

1. Modify password parameters: Locate and change the following parameters:

Change: PASS_MAX_DAYS 99999 → PASS_MAX_DAYS 30

Change: PASS_MIN_DAYS 0 → PASS_MIN_DAYS 2

PASS_MAX_DAYS: Maximum number of days before password expires.

PASS_MIN_DAYS: Minimum number of days before password can be changed.

PASS_WARN_AGE: Number of days before password expiration to show warning.

Installing password quality enforcement

1. Install password quality library: To enforce password quality rules, install the following package:

sudo apt install libpam-pwquality

Type Y when prompted to confirm and wait for the installation to complete.

Configuring password complexity rules

1. Edit PAM configuration: Next, we need to edit the PAM (Pluggable Authentication Modules) configuration file:

nano /etc/pam.d/common-password

1. Below retry=3 we must add the following commands:

minlen=10 ucredit=-1 dcredit=-1 lcredit=-1 maxrepeat=3 reject_username difok=7 enforce_for_root

This is how the line must be↙️

This is how the file must look ↙️

minlen=10 ➤ The minimum characters a password must contain.

ucredit=-1 ➤ The password must contain at least one capital letter. We must write it with a - sign, as this is how it knows that it refers to minimum characters; if we put a + sign it will refer to maximum characters.

dcredit=-1 ➤ The password must contain at least one digit.

lcredit=-1 ➤ The password must contain at least one lowercase letter.

maxrepeat=3 ➤ The password cannot have the same character repeated three consecutive times.

reject_username ➤ The password cannot contain the username within itself.

difok=7 ➤ The password must contain at least seven different characters from the last password used.

enforce_for_root ➤ We will implement this password policy for root.