How to Setup Strong Password Policy on Ubuntu Linux

This brief tutorial shows students and new users how to set up a strong password policy on Ubuntu 18.04 | 16.04.

Out of the box, Ubuntu machines are not set up with an advanced password policy. Any password, including weak ones, can be used and never expire. This may not be secure in some environments.

To configure a more secure password policy and protect your users from hackers and intrusions, you need to take some steps, and this post shows you how to do that.

Ubuntu is an open-source Linux operating system that runs on desktops, laptops, servers, and other devices.

When you’re ready to set up a strong password policy on Ubuntu, follow the steps below:

Ensure Passwords Expire

In most business environments, user passwords are configured to expire every 60 to 90 days. Desktop users are not configured like business environments, so a single password can be used forever.

If you want to configure Ubuntu to force users to change passwords regularly, you can run the commands below to open the login. defs file.

sudo nano /etc/login.defs

For example, if you want the account password to be changed every 60 days, and several days before it changes again edit the highlighted lines in the file.

You can also set the number of days a warning is given before a password expires.

# Password aging controls:
#       PASS_MAX_DAYS   Maximum number of days a password may be used.
#       PASS_MIN_DAYS   Minimum number of days allowed between password changes.
#       PASS_WARN_AGE   Number of days warning given before a password expires.

Save the file and exit.

Configure PAM Password Module

A PAM module called pam_pwquality can be included with Ubuntu to require strong passwords for system users. pam_pwquality performs several basic checks, just like the old pam_cracklib module, including not allowing passwords to include a username from the GECOS field, rejecting passwords with more than N number of characters, and many other password-related checks.

To install and use the pam_pwquality module, run the commands below:

sudo apt install libpam-pwquality cracklib-runtime

pam_pwquality main configuration file is at /etc/pam.d/common-password. Run the commands below to edit the file.

sudo nano /etc/pam.d/common-password

A good password requirement will follow similar guidelines.

  • Allow N number of retries before returning error [retry=3]
  • Set a minimal password length [minlen=8]
  • Set N number of repeated characters [maxrepeat =3]
  • Password must have uppercase characters [ucredit = -1]
  • Password must have lowercase characters [dcredit=-1]
  • Reject password with account name found in GECOS [gecoscheck=1]

Edit the highlighted line and add some of the requirements above to enforce.

# here are the per-package modules (the "Primary" block)
password        requisite              retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root

password        [success=1 default=ignore] obscure use_authtok try_first_pass sha512
# here's the fallback if no module succeeds
password        requisite             

Make the above changes that fit your environment. When done, reboot your machine and the changes above should apply.

That’s it!


This post showed you how to set up a strong password policy on Ubuntu 18.04 | 16.04. If you find errors in the above, please use the form below to report.


You may also like the post below: