Skip to main content

Why This Matters

By default, accounts can use any password they want, including weak ones like “password123” or “admin”. This creates a significant security vulnerability. pwquality (via pam_pwquality) provides “a way to configure the default password quality requirements for the system passwords” and checks “its strength against a system dictionary and a set of rules for identifying poor choices.”

How It Works

On Linux, PAM (Pluggable Authentication Modules) is responsible for authentication. When an account needs to set or change a password, PAM’s password task handles the request. We’ll configure PAM to pass all new passwords through libpam-pwquality to verify they meet our security requirements. If the password meets the requirements, it’s accepted; otherwise, the user gets an error and must choose a stronger password.

Installation and Configuration

1

Install libpam-pwquality

On Debian based systems:
sudo apt install libpam-pwquality
2

Backup PAM configuration

Create a backup of PAM’s password configuration:
sudo cp --archive /etc/pam.d/common-password /etc/pam.d/common-password-COPY-$(date +"%Y%m%d%H%M%S")
3

Configure password requirements

Edit /etc/pam.d/common-password and find the line that starts with:
password        requisite                       pam_pwquality.so
Change it to:
password        requisite                       pam_pwquality.so retry=3 minlen=10 difok=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 maxrepeat=3 gecoschec
Or use this command:
sudo sed -i -r -e "s/^(password\s+requisite\s+pam_pwquality.so)(.*)$/# \1\2\n\1 retry=3 minlen=10 difok=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 maxrepeat=3 gecoschec/" /etc/pam.d/common-password

Password Requirements Explained

Here’s what each option in the configuration means:
OptionValueDescription
retry3Prompt user 3 times before returning with error
minlen10Minimum password length (after credits/debits)
difok3At least 3 characters must be different from old password
ucredit-1Must have at least one uppercase letter (negative means required)
lcredit-1Must have at least one lowercase letter
dcredit-1Must have at least one digit
ocredit-1Must have at least one non-alphanumeric character
maxrepeat3Maximum of 3 repeated characters allowed
gecoschec-Do not allow passwords containing the account’s name
Credit System: Positive credit values give “credit” that reduces the minimum length requirement. Negative credit values require that character type.For example:
  • ucredit=1 means each uppercase letter reduces minlen by 1
  • ucredit=-1 means at least one uppercase letter is required

Password Examples

These passwords would be REJECTED:

  • password - too short, no uppercase, no digit, no special character
  • Password1 - no special character
  • Pass@123 - too short (only 8 characters)
  • Johndoe@123 - contains username (if username is “johndoe”)
  • Passssword@1 - too many repeated characters (s)

These passwords would be ACCEPTED:

  • MyP@ssw0rd! - 11 characters, mixed case, digit, special character
  • S3cur3#Pass - 11 characters, all requirements met
  • C0mpl3x!ty - 10 characters, all requirements met

Testing Password Requirements

You can test the password requirements without changing any account passwords: 
pwscore
Type a potential password and press Enter. It will score the password strength:
  • Score 0-49: Weak
  • Score 50-79: Medium
  • Score 80-100: Strong

Customizing Requirements

You can adjust the requirements to match your security policy. For example: More Strict: 
retry=3 minlen=14 difok=5 ucredit=-2 lcredit=-2 dcredit=-2 ocredit=-2 maxrepeat=2 gecoschec
Less Strict: 
retry=3 minlen=8 difok=2 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 maxrepeat=4 gecoschec
Make sure at least one account already has a strong password that meets these requirements before enforcing them, or you may lock yourself out when passwords expire.

What This Does

With password quality requirements enforced:
  • Users cannot set weak passwords
  • All new passwords must meet complexity requirements
  • Password changes are validated against security rules
  • Brute-force attacks become exponentially harder
  • Compliance requirements are met

Additional Security

Consider combining this with:
  • Password expiration policies (in /etc/login.defs)
  • Password history (prevent reusing old passwords)
  • Account lockout policies (with faillock or pam_tally2)
  • Two-factor authentication for SSH

Build docs developers (and LLMs) love

Get started for freeTalk to us