How to Enforce Password Quality in Linux

One of the easiest ways to improve the security of your server is to ensure that everyone’s password meets a certain minimum length. There are, of course, other considerations like the mix of small and capital letters, numbers, and special characters. But a minimum password length gives you the most “bang for the buck”. Each additional character in a password increases its strength exponentially. In this article, we’ll show you how to enforce a minimum password length for all your users in Linux.

Table of Contents

Step 1: Ensure that you Have Administrator Permissions

The changes we’ll be making require you to either be root or have “sudo” permissions. Getting sudo permissions is another discussion altogether. But if you want to switch to root from any other user, just type the following command:

su - root

Enter your root password and you’re good to go. It’s worth mentioning that performing tasks while logged in as root is almost never a good idea. Get sudo permissions and do what you need to do from there!

Step 2: Checking the Existing Minimum Length

By default, your current password configuration should already have a minimum length set up. For our installation, this is 8 characters. You can check the validity of any password using the following command:

pwscore

Hit “Enter” and type your password into the blank line that follows. For example:

In the screenshot above, you can see we’ve entered the password “1234567”. This falls short of the minimum password length of 8, so we get an error message informing us. Of course, this password falls short of many other requirements too. But the minimum length is the first to be checked.

Step 3: Open the pwquality.conf File

All your password requirements are specified in the following file:

/etc/security/pwquality.conf

Along with the minimum length, it allows you to assign various degrees of importance to the characteristics of your password. We’ll take a look at those a bit later. For now, just open it using a text editor:

vi /etc/security/pwquality.conf

Now let’s set the minimum length

Step 4: Set the Minimum Password Length

In the text editor, scroll down till you see this line:

# minlen = 9

To change the minimum length, do these two things:

Remove the hash (#) character from the beginning of the line
Change the length to your desired length
Change the following parameters to “0” and Remove the hash (#) for them as well
1. dcredit
2. ucredit
3. lcredit
4. ocredit

So if you want the minimum length to be 10, change minlen and the others as shown here:

Save the file.

Step 5: Verify the Changes

Now when we use the “pwscore” command again, the new password length is enforced. Here’s proof:

Need a fast and easy fix?

✔ Unlimited Managed Support

✔ Supports Your Software

✔ 2 CPU Cores

✔ 2 GB RAM

✔ 50 GB PCIe4 NVMe Disk

✔ 1854 GeekBench Score

✔ Unmetered Data Transfer

NVME 2 VPS

Now just $43 .99
/mo

GET YOUR VPS

In this screenshot, we use the password ” qjtdysi7″ – one more than last time. Since we’ve set “minlen” to 10, the minimum password length is now 9.

Step 6 (Optional): Configure Other Password Parameters

In Step 4, we’ve disabled “credits”, which gives passwords points for things like digits, capital letters, and characters different from the previous password. The default for those was “1”, which means that each time you use one of these characters, the score is added to the length.

If we omit Step 4, that it allows users to bypass the minimum length by using a mix of characters and digits. So for example, a “minlen” of 9 could be overcome by the previous password:

qjtdysi7

While this has only 8 characters, it contains a digit and lowercase alphabets. Which increases the score to 10 and thus meets our password requirements.

You can adjust the “minlen” parameter to a higher number and give people additional points password complexity. You can set the various credits to a negative number to force that specific amount of characters. Do a “dcredit” value of -3 means that the password must have at least 3 digits.

The “pwquality.conf” file documents all these parameters, and you can create password rules that are as complex as you like! But here we show you how to get started with a minimum length. You can take it from there!

You don’t have to enforce password quality on your Linux machine if you are one of our Managed Linux VPS Hosting clients, in which case you can simply ask our technical support to enforce your Linux password for you. They are available 24/7 and will take care of it asap.

4 thoughts on “How to Enforce Password Quality in Linux”

Hitendra Singh Rathore

August 23, 2018 at 05:52

Yes, in Linux we can change the password validation rules as per our requirements. we can enforce the user to enter a more complicated password for the system. as our organization uses Linux for the development purpose, we have already made changes in our system for enforcing to enter the complex password. by the way, thank you for sharing.
rimple

December 24, 2019 at 07:15

hello, i am not able to enforce root user to make the password complex for other users in redhat 7 can you help me ?
- admin
  
  December 26, 2019 at 02:30
  
  Have you followed our tutorial? Do you tried to edit the /pwquality.conf file?
  Since you are using Red Hat 7 you can check their official documentation about this at https://access.redhat.com/documentation/
  - Aloha
    
    February 17, 2022 at 15:26
    
    I believe there is a certain field called enforce_for_root that has to be set.