Force Users To Create Secure Passwords on Ubuntu 16.04

When we manage equipment and users, one of the configurations that we have to take into account is the security-related, and this includes factors such as:

  • Protection of data
  • Secure access
  • Complex password policies
  • Authorize responsible users, among others

In this opportunity we will see how we can force users to create strong and robust passwords in the system and in this way increase the security of the system by using the PAM utility.

What is PAM

PAM – Pluggable Authentication Mode is basically a centralized authentication mechanism for the diverse users of Linux environments.

Install PAM on Ubuntu

For this tutorial, we will use PAM in Ubuntu 16.04. The command that we must enter for the installation of PAM is the following:

sudo apt-get install libpam-cracklib
Note: In some instances, PAM is already installed by default and we will see a message associated with the inability to locate the linbpam package, otherwise we proceed with the download and respective installation.

Configuration of the libpam package

Once we have installed or verify that PAM already exists on our Linux machine, in the following route we will see all the files associated with PAM:


We can use the following command to visualize the options that are on this route: cd /etc/pam.d and then use ls to view the content.

The files that we must configure are located in the route:


And for that reason before making any modification we will copy said file using the following:

sudo cp /etc/pam.d/common-password /root/

Edit common-password file

We can use the editor we want (vi or nano) to edit the common-password file, for this, we can enter the following:

sudo nano /etc/pam.d/common-password

Now locate the following line:

password requisite retry=3 minlen=8 difok=3

There we can use the following parameters to create a secure and robust password:

  • lcredit: Amount of lowercase letters that should be included
  • minlen: Minimum size of the password
  • dcredit: Number of digits to add
  • ucredit: Amount of capital letters to add
  • ocredit: Number of numbers to add
  • difok: Number of special characters that the password will have

To configure these parameters we must add these values manually under the line:

password requisite retry=3 minlen=8 difok=3

For example we can establish the following values:

password requisite try_first_pass retry=3

minlength=10lcredit=-2 ucredit=-1 dcredit=-1 ocredit=-1 difok=3

In this way we configure the following:

  • Minimum password size 10 characters
  • Minimum one lower case letter
  • At least one uppercase letter
  • One digit must be inside the password
  • The password must include a number
  • At least 3 special characters must be present

Save the changes using the key combination Ctrl + O and exit the editor using the Ctrl + X keys .

We have seen how PAM helps us to improve the security levels of our teams by establishing various conditions to establish them.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *