The complexity of password complexity

Deploying password quality checking on your Debian-base Linux servers can help to ensure that your users assign reasonable passwords on their accounts, but the settings themselves can be a bit misleading. For example, setting a minimum password length of 12 characters does not mean that your users’ passwords will all have twelve or more characters. Let’s stroll down Complexity Boulevard and see how the settings work and examine some settings worth considering.

First, if you haven’t done this already, install the password quality checking library with this command:

apt-get -y install libpam-pwquality

The files that contain most of the settings we’re going to look at will be:

  • /etc/pam.d/common-password on Debian-base systems
  • /etc/pam.d/system-auth on RedHat

Complexity settings

Here’s how it works. You can set a minimum password length, but it doesn’t work exactly like you might think. People can set themselves up with shorter passwords if they incorporate some additional complexity and get credit for doing so.