{"id":39522,"date":"2020-10-19T21:14:00","date_gmt":"2020-10-19T21:14:00","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/how-to-enforce-password-complexity-on-linux\/"},"modified":"2020-10-19T21:14:00","modified_gmt":"2020-10-19T21:14:00","slug":"how-to-enforce-password-complexity-on-linux","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/how-to-enforce-password-complexity-on-linux\/","title":{"rendered":"How to enforce password complexity on Linux"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/images.techhive.com\/images\/article\/2016\/08\/passwords-100678100-large.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p>Deploying password-quality checking on your Debian-based Linux servers can help ensure that your users assign reasonably secure passwords to their accounts, but the settings themselves can be a bit misleading.<\/p>\n<p>For example, setting a minimum password length of 12 characters does not necessarily mean that all your users&#8217; passwords will actually have 12 or more characters.<\/p>\n<p>Let&#8217;s stroll down Complexity Boulevard and see how the settings work and examine some that are worth considering.<\/p>\n<aside class=\"fakesidebar\"><a href=\"https:\/\/www.networkworld.com\/newsletters\/signup.html\">[Get regularly scheduled insights by signing up for Network World newsletters.]<\/a><\/aside>\n<p>The files that contain the settings we&#8217;re going to look at will be:<\/p>\n<ul>\n<li><strong>\/etc\/pam.d\/common-password<\/strong>&nbsp;on Debian-base systems<\/li>\n<li><strong>\/etc\/security\/pwquality.conf<\/strong> on RedHat<\/li>\n<\/ul>\n<h2>Complexity settings<\/h2>\n<p>Here&#8217;s how it works. You can set a minimum password length to insure strength, but this might not work exactly as you\u2019d expect. In fact, passwords with the most characters aren&#8217;t necessarily the most secure or easy to use and remember. In fact your users can set themselves up with shorter passwords that are just as secure if they incorporate certain restrictions and categories of characters that make them harder to crack and get credit for doing so.<\/p>\n<p>Here are complexity settings you can require in addition to length:<\/p>\n<aside class=\"nativo-promo nativo-promo-1 smartphone\" id> <\/aside>\n<ul>\n<li>uppercase characters<\/li>\n<li>lowercase characters<\/li>\n<li>digits<\/li>\n<li>other characters (e.g., punctuation marks)<\/li>\n<li>a mix of the above<\/li>\n<li>a restriction on the number of characters in any particular class (uppercase, lowercase, etc.)<\/li>\n<li>a restriction on how many times the same character can be used<\/li>\n<li>the number of characters that have to be different from those used in the previous password<\/li>\n<li>restrictions on password re-use<\/li>\n<\/ul>\n<p>The settings include:<\/p>\n<ul>\n<li><strong>minlen<\/strong>&nbsp;= minimum password length<\/li>\n<li><strong>minclass<\/strong>&nbsp;= the minimum number of character types that must be used (i.e., uppercase, lowercase, digits, other)<\/li>\n<li><strong>maxrepeat<\/strong>&nbsp;= the maximum number of times a single character may be repeated<\/li>\n<li><strong>maxclassrepeat<\/strong>&nbsp;= the maximum number of characters in a row that can be in the same class<\/li>\n<li><strong>lcredit<\/strong>&nbsp;= maximum number of lowercase characters that will generate a credit<\/li>\n<li><strong>ucredit<\/strong>&nbsp;= maximum number of uppercase characters that will generate a credit<\/li>\n<li><strong>dcredit<\/strong>&nbsp;= maximum number of digits that will generate a credit<\/li>\n<li><strong>ocredit<\/strong>&nbsp;= maximum number of other characters that will generate a credit<\/li>\n<li><strong>difok<\/strong>&nbsp;= the minimum number of characters that must be different from the old password<\/li>\n<li><strong>remember<\/strong>&nbsp;= the number of passwords that will be remembered by the system so that they cannot be used again<\/li>\n<li><strong>gecoscheck<\/strong> = whether to check for the words from the passwd entry GECOS string of the user (enabled if the value is not 0)<\/li>\n<li><strong>dictcheck<\/strong> = whether to check for the words from the cracklib dictionary (enabled if the value is not 0)<\/li>\n<li><strong>usercheck<\/strong> = whether to check if the password contains the user name in some form (enabled if the value is not 0)<\/li>\n<li><strong>enforcing<\/strong> = new password is rejected if it fails the check and the value is not 0<\/li>\n<li><strong>dictpath<\/strong> = path to the cracklib dictionaries. Default is to use the cracklib default.<\/li>\n<\/ul>\n<p>These settings on a Red Hat system might look like this. The <strong>credit<\/strong> settings mean your users will get credits for using a mix of character types that can reduce the password length requirement.<\/p>\n<aside class=\"nativo-promo nativo-promo-1 tablet desktop\" id> <\/aside>\n<p>$ grep &#8220;=&#8221; \/etc\/security\/pwquality.conf<\/p>\n<p># difok = 1<\/p>\n<p>minlen = 12<\/p>\n<p>dcredit = -1<\/p>\n<aside class=\"nativo-promo nativo-promo-2 tablet desktop smartphone\" id> <\/aside>\n<p>ucredit = 1<\/p>\n<p>lcredit = 1<\/p>\n<p>ocredit = 1<\/p>\n<p># minclass = 0<\/p>\n<p># maxrepeat = 0<\/p>\n<p># maxclassrepeat = 0<\/p>\n<p># gecoscheck = 0<\/p>\n<p># dictcheck = 1<\/p>\n<p># usercheck = 1<\/p>\n<p># enforcing = 1<\/p>\n<p># dictpath =<\/p>\n<p>The same settings on a Debian system might look like this:<\/p>\n<p>$ grep ^password common-password<\/p>\n<p>password&nbsp;&nbsp; requisite&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; pam_pwquality.so retry=3 minlen=12 difok=1 remember=3 lcredit=1 ucredit=1 ocredit=1 dcredit=-1<\/p>\n<p>Note that, regardless of the value you set for <strong>minlen<\/strong>, passwords cannot have fewer than six characters. That is, even if you set <strong>minlen<\/strong> equal to 4 and give credit for many types of characters, passwords with fewer than six characters will be rejected.<\/p>\n<h2>Getting credit for complexity<\/h2>\n<p>The idea of &#8220;credits&#8221; (e.g., <strong>lcredit<\/strong> and <strong>ucredit<\/strong>) is very interesting. Basically, a shorter password might be acceptable if it&#8217;s more complex with respect to the mix of characters.<\/p>\n<p>As an example, a password like &#8220;hijlmqrazp&#8221; might pass a <strong>minlen=10<\/strong> test. If <strong>dcredit<\/strong> is set to 2, on the other hand, the password &#8220;hijlmq99&#8221; would also pass. Why? Because you&#8217;d get two credits for the digits. So, eight characters plus credits is valued as highly as 10 characters without credits. If <strong>dcredit<\/strong> were set to 1, you would need an additional character. However, we can also grant credits for uppercase, lowercase, and non-alphanumeric characters like punctuation marks.<\/p>\n<p>Note, however, that you can only get credit for so many of the different characters. Maybe you will get credit for only one digit or two uppercase characters. Maybe you don&#8217;t get any credit for lowercase characters. It all depends on your settings.<\/p>\n<h2>Mixing character classes<\/h2>\n<p>One other setting that comes into play is the <strong>minclass<\/strong> setting, which determines how many different classes of characters must be used for a password to be acceptable. If <strong>minclass<\/strong> is set to 2, a password containing all lowercase, all uppercase, all digits, or all any other class of characters wouldn&#8217;t work. If set to 2, <strong>minclass <\/strong>would require you to use characters from two classes, like uppercase and lowercase, or lowercase and digits.<\/p>\n<p>With <strong>minclass<\/strong> set to 4, passwords would have to include all four types of characters&#8211;like \u201chowzit2B?\u201d&#8211;and, if we get credit for uppercase, digits or other characters, we&#8217;d be OK even with the <strong>minlen<\/strong> set to 12.<\/p>\n<p>You can also put a cap on the number of characters of any particular class. Set the <strong>maxclassrepeat<\/strong> setting to 4 and passwords cannot contain more than four lowercase, uppercase, digits, or other characters in succession.<\/p>\n<h2>The meaning of negative values<\/h2>\n<p>Setting any of the <strong>lcredit<\/strong>, <strong>ucredit<\/strong>, <strong>dcredit<\/strong>, or <strong>ocredit<\/strong> settings to a negative number means that you MUST have some of that type of character for a password to be acceptable. Setting <strong>dcredit<\/strong> to -1, for example, would mean that you have to include at least one digit.<\/p>\n<h2>Other passward-strength checks<\/h2>\n<p>Linux\u2019s password-quality checking includes a number of other checks that help ensure that passwords are fairly secure. It can check to see if a password is a palindrome, like \u201cracecar\u201d, whether a new password is the same as the old password but with a change of case only, if the old and new passwords are too similar or rotations of each other, and whether a password contains the user&#8217;s name. (It&#8217;s getting to the point that it might actually be difficult to assign oneself a really poor password.)<\/p>\n<p>For example, if a user doesn\u2019t meet all the specified criteria, a password changing attempt might look like this:<\/p>\n<p>$ passwd<\/p>\n<p>Changing password for shs.<\/p>\n<p>Current password:<\/p>\n<p>New password:<\/p>\n<p>BAD PASSWORD: The password is a palindrome<\/p>\n<p>New password:<\/p>\n<p>BAD PASSWORD: The password contains less than 1 uppercase letters<\/p>\n<p>New password:<\/p>\n<p>BAD PASSWORD: The password contains less than 1 non-alphanumeric characters<\/p>\n<p>passwd: Have exhausted maximum number of retries for service<\/p>\n<p>passwd: password unchanged<\/p>\n<h2>Password quality testing<\/h2>\n<p>If you change the settings in the top lines of the following Perl script, you will get a feel for the kind of passwords that will pass your quality tests. In this example, the minimum length for a password has been set to 12. One credit is given for lowercase and uppercase letters, but none for special characters (just to demonstrate the difference). In addition, a digit <u>must<\/u> be included (setting -1).<\/p>\n<p>#!\/usr\/bin\/perl -w<\/p>\n<p># &#8212; set your complexity preferences here &#8212;<\/p>\n<p>$minlen=12;<\/p>\n<p>$lcredit=1;<\/p>\n<p>$ucredit=1;<\/p>\n<p>$dcredit=-1;<\/p>\n<p>$ocredit=0;<\/p>\n<p># &#8212; initialize the counters &#8212;<\/p>\n<p>$score=0;<\/p>\n<p>$lcase=0;<\/p>\n<p>$ucase=0;<\/p>\n<p>$digits=0;<\/p>\n<p>$other=0;<\/p>\n<p># &#8212; set fail to false &#8212;<\/p>\n<p>$fail=0;<\/p>\n<p># &#8212; check for argument &#8212;<\/p>\n<p>if ( $#ARGV &lt; 0 ) {<\/p>\n<p>&nbsp;&nbsp;&nbsp; print &#8220;argument expected\\n&#8221;;<\/p>\n<p>&nbsp;&nbsp;&nbsp; exit;<\/p>\n<p>} else {<\/p>\n<p>&nbsp;&nbsp;&nbsp; $password=$ARGV[0];<\/p>\n<p>}<\/p>\n<p># &#8212; determine if any character settings are mandatory (if negative)<\/p>\n<p>if ($lcredit &lt; 0) {&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; # needed # of lowercase characters<\/p>\n<p>&nbsp;&nbsp;&nbsp; $lneeded=-1 * $lcredit;<\/p>\n<p>&nbsp;&nbsp;&nbsp; $lextra=$lneeded;<\/p>\n<p>} else {<\/p>\n<p>&nbsp;&nbsp;&nbsp; $lneeded=0;<\/p>\n<p>&nbsp;&nbsp;&nbsp; $lextra=$lcredit;<\/p>\n<p>}<\/p>\n<p>if ($ucredit &lt; 0) {&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; # needed # of uppercase characters<\/p>\n<p>&nbsp;&nbsp;&nbsp; $uneeded=-1 * $ucredit;<\/p>\n<p>&nbsp;&nbsp;&nbsp; $uextra=$uneeded;<\/p>\n<p>} else {<\/p>\n<p>&nbsp;&nbsp;&nbsp; $uneeded=0;<\/p>\n<p>&nbsp;&nbsp;&nbsp; $uextra=$ucredit;<\/p>\n<p>}<\/p>\n<p>if ($dcredit &lt; 0) {&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; # needed # of digits<\/p>\n<p>&nbsp;&nbsp;&nbsp; $dneeded=-1 * $dcredit;<\/p>\n<p>&nbsp;&nbsp;&nbsp; $dextra=$dneeded;<\/p>\n<p>} else {<\/p>\n<p>&nbsp;&nbsp;&nbsp; $dneeded=0;<\/p>\n<p>&nbsp;&nbsp;&nbsp; $dextra=$dcredit;<\/p>\n<p>}<\/p>\n<p>if ($ocredit &lt; 0) {&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; # needed # of special characters<\/p>\n<p>&nbsp;&nbsp;&nbsp; $oneeded=-1 * $ocredit;<\/p>\n<p>&nbsp;&nbsp;&nbsp; $oextra=$oneeded;<\/p>\n<p>} else {<\/p>\n<p>&nbsp;&nbsp;&nbsp; $oneeded=0;<\/p>\n<p>&nbsp;&nbsp;&nbsp; $oextra=$ocredit;<\/p>\n<p>}<\/p>\n<p>$score=length($password);&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;# 1 point for each character<\/p>\n<p># &#8212; password MUST contain at least 6 characters<\/p>\n<p>if ($score &lt; 6) {<\/p>\n<p>&nbsp;&nbsp;&nbsp; print &#8220;password MUST contain at least 6 characters\\n&#8221;;<\/p>\n<p>&nbsp;&nbsp;&nbsp; exit;<\/p>\n<p>}<\/p>\n<p># &#8212; count the characters of each type &#8212;<\/p>\n<p>foreach $char (split \/\/, $password) {<\/p>\n<p>&nbsp;&nbsp;&nbsp; if ($char =~ \/\\d\/) {<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $digits++;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; # digits<\/p>\n<p>&nbsp;&nbsp;&nbsp; } elsif ($char !~ \/\\w\/) {<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $other++;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; # special characters<\/p>\n<p>&nbsp;&nbsp;&nbsp; } elsif ($char eq lc($char)) {<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $lcase++;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; # lowercase<\/p>\n<p>&nbsp;&nbsp;&nbsp; } elsif ($char eq uc($char)) {<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $ucase++;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; # uppercase<\/p>\n<p>&nbsp;&nbsp;&nbsp; } else {<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print &#8220;Error: unrecognized character. Please fix this script!\\n&#8221;;<\/p>\n<p>&nbsp;&nbsp;&nbsp; }<\/p>\n<p>}<\/p>\n<p>if ($lcase &lt; $lneeded) {<\/p>\n<p>&nbsp;&nbsp;&nbsp; print &#8220;password failure: need $lneeded lowercase character(s)\\n&#8221;;<\/p>\n<p>&nbsp;&nbsp;&nbsp; $fail=1;<\/p>\n<p>}<\/p>\n<p>if ($ucase &lt; $uneeded) {<\/p>\n<p>&nbsp;&nbsp;&nbsp; print &#8220;password failure: need $uneeded uppercase character(s)\\n&#8221;;<\/p>\n<p>&nbsp;&nbsp;&nbsp; $fail=1;<\/p>\n<p>}<\/p>\n<p>if ($digits &lt; $dneeded) {<\/p>\n<p>&nbsp;&nbsp;&nbsp; print &#8220;password failure: need $dneeded digit(s)\\n&#8221;;<\/p>\n<p>&nbsp;&nbsp;&nbsp; $fail=1;<\/p>\n<p>}<\/p>\n<p>if ($other &lt; $oneeded) {<\/p>\n<p>&nbsp;&nbsp;&nbsp; print &#8220;password failure: need $oneeded special character(s)\\n&#8221;;<\/p>\n<p>&nbsp;&nbsp;&nbsp; $fail=1;<\/p>\n<p>}<\/p>\n<p>if ($fail &gt; 0) {<\/p>\n<p>&nbsp;&nbsp;&nbsp; exit;<\/p>\n<p>}<\/p>\n<p># &#8212; reduce credits to number allowed &#8212;<\/p>\n<p>if ($lcase &gt; $lextra) {<\/p>\n<p>&nbsp;&nbsp;&nbsp; $lcase=$lextra;<\/p>\n<p>}<\/p>\n<p>if ($ucase &gt; $uextra) {<\/p>\n<p>&nbsp;&nbsp;&nbsp; $ucase=$uextra;<\/p>\n<p>}<\/p>\n<p>if ($digits &gt; $dextra) {<\/p>\n<p>&nbsp;&nbsp;&nbsp; $digits=$dextra;<\/p>\n<p>}<\/p>\n<p>if ($other &gt; $oextra) {<\/p>\n<p>&nbsp;&nbsp;&nbsp; $other=$oextra;<\/p>\n<p>}<\/p>\n<p>print &#8220;$score + $lcase + $ucase + $digits + $other\\n&#8221;;<\/p>\n<p>$score=$score + $lcase + $ucase + $digits + $other;<\/p>\n<p>if ($score &gt;= $minlen) {<\/p>\n<p>&nbsp;&nbsp;&nbsp; print &#8220;password passes with score of $score\\n&#8221;;<\/p>\n<p>} else {<\/p>\n<p>&nbsp;&nbsp;&nbsp; print &#8220;password fails with score of $score\\n&#8221;;<\/p>\n<p>}<\/p>\n<p>Notice that the password \u201c2Good4me?\u201d passes even though it\u2019s only 9 characters long. This is because we got one credit each for the uppercase G, one for the use of lowercase letters and one for the digit. We\u2019d have passed with a 13 if we had been given credit for the \u201c?\u201d as well. The \u201c9 + 1 + 1 + 1 + 0\u201d line displays the list of credits:<\/p>\n<p>$ pwquality 2Good4me?<\/p>\n<p>9 + 1 + 1 + 1 + 0<\/p>\n<p>password passes with score of 12<\/p>\n<h2>Password complexity and PAM<\/h2>\n<p>Support for password complexity is provided through the pluggable authentication module (PAM). If you have a file named <strong>\/etc\/pam.d\/system-auth<\/strong> on a RedHat system, look for lines that look like those shown below.<\/p>\n<p>$ grep password \/etc\/pam.d\/system-auth<\/p>\n<p>password&nbsp;&nbsp;&nbsp; requisite&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; pam_pwquality.so try_first_pass local_users_only<\/p>\n<p>password&nbsp;&nbsp;&nbsp; sufficient&nbsp;&nbsp;&nbsp;&nbsp; pam_unix.so sha512 shadow nullok try_first_pass use_authtok<\/p>\n<p>password&nbsp;&nbsp;&nbsp; sufficient&nbsp;&nbsp;&nbsp;&nbsp; pam_sss.so use_authtok<\/p>\n<p>password&nbsp;&nbsp;&nbsp; required&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; pam_deny.so<\/p>\n<p>On Debian systems like Ubuntu, this command will show you whether PAM is installed and ready to be used:<\/p>\n<p>$ apt-cache policy *pam-pwquality*<\/p>\n<p>libpam-pwquality:<\/p>\n<p>&nbsp; Installed: 1.4.2-1build1<\/p>\n<p>&nbsp; Candidate: 1.4.2-1build1<\/p>\n<p>&nbsp; Version table:<\/p>\n<p>&nbsp;*** 1.4.2-1build1 500<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 500 http:\/\/us.archive.ubuntu.com\/ubuntu focal\/main amd64 Packages<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 100 \/var\/lib\/dpkg\/status<\/p>\n<p>If the response on your system shows \u201cInstalled: (none)\u201d, you can install it with this command:<\/p>\n<p>$ sudo apt install libpam-pwquality<\/p>\n<div class=\"end-note\"> <!-- blx4 #2005 blox4.html --> <\/p>\n<div id class=\"blx blxParticleendnote blxM2005 blox4_html blxC23909\">Join the Network World communities on <a href=\"https:\/\/www.facebook.com\/NetworkWorld\/\" target=\"_blank\" rel=\"noopener noreferrer\">Facebook<\/a> and <a href=\"https:\/\/www.linkedin.com\/company\/network-world\" target=\"_blank\" rel=\"noopener noreferrer\">LinkedIn<\/a> to comment on topics that are top of mind. <\/div>\n<\/p><\/div>\n<p> READ MORE <a href=\"https:\/\/www.networkworld.com\/article\/2726217\/how-to-enforce-password-complexity-on-linux.html#tk.rss_security\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\nDeploying password-quality checking on your Debian-based Linux servers can help ensure that your users assign reasonably secure passwords to their accounts, but the settings themselves can be a bit misleading.For example, setting a minimum password length of 12 characters does not necessarily mean that all your users&#8217; passwords will actually have 12 or more characters.Let&#8217;s stroll down Complexity Boulevard and see how the settings work and examine some that are worth considering.[Get regularly scheduled insights by signing up for Network World newsletters.]<br \/>\nThe files that contain the settings we&#8217;re going to look at will be:To read this article in full, please click here READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":39523,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[738],"tags":[812,4193,493,739],"class_list":["post-39522","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-networkworld","tag-data-center","tag-endpoint-protection","tag-linux","tag-open-source"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>How to enforce password complexity on Linux 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/how-to-enforce-password-complexity-on-linux\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to enforce password complexity on Linux 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/how-to-enforce-password-complexity-on-linux\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2020-10-19T21:14:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/02\/how-to-enforce-password-complexity-on-linux.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"620\" \/>\n\t<meta property=\"og:image:height\" content=\"413\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-enforce-password-complexity-on-linux\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-enforce-password-complexity-on-linux\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"How to enforce password complexity on Linux\",\"datePublished\":\"2020-10-19T21:14:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-enforce-password-complexity-on-linux\\\/\"},\"wordCount\":2143,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-enforce-password-complexity-on-linux\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/02\\\/how-to-enforce-password-complexity-on-linux.jpg\",\"keywords\":[\"Data Center\",\"endpoint protection\",\"Linux\",\"Open Source\"],\"articleSection\":[\"Networkworld\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-enforce-password-complexity-on-linux\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-enforce-password-complexity-on-linux\\\/\",\"name\":\"How to enforce password complexity on Linux 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-enforce-password-complexity-on-linux\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-enforce-password-complexity-on-linux\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/02\\\/how-to-enforce-password-complexity-on-linux.jpg\",\"datePublished\":\"2020-10-19T21:14:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-enforce-password-complexity-on-linux\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-enforce-password-complexity-on-linux\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-enforce-password-complexity-on-linux\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/02\\\/how-to-enforce-password-complexity-on-linux.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/02\\\/how-to-enforce-password-complexity-on-linux.jpg\",\"width\":620,\"height\":413},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-enforce-password-complexity-on-linux\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Data Center\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/data-center\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"How to enforce password complexity on Linux\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to enforce password complexity on Linux 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/how-to-enforce-password-complexity-on-linux\/","og_locale":"en_US","og_type":"article","og_title":"How to enforce password complexity on Linux 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/how-to-enforce-password-complexity-on-linux\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2020-10-19T21:14:00+00:00","og_image":[{"width":620,"height":413,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/02\/how-to-enforce-password-complexity-on-linux.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/how-to-enforce-password-complexity-on-linux\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-enforce-password-complexity-on-linux\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"How to enforce password complexity on Linux","datePublished":"2020-10-19T21:14:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-enforce-password-complexity-on-linux\/"},"wordCount":2143,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-enforce-password-complexity-on-linux\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/02\/how-to-enforce-password-complexity-on-linux.jpg","keywords":["Data Center","endpoint protection","Linux","Open Source"],"articleSection":["Networkworld"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/how-to-enforce-password-complexity-on-linux\/","url":"https:\/\/www.threatshub.org\/blog\/how-to-enforce-password-complexity-on-linux\/","name":"How to enforce password complexity on Linux 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-enforce-password-complexity-on-linux\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-enforce-password-complexity-on-linux\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/02\/how-to-enforce-password-complexity-on-linux.jpg","datePublished":"2020-10-19T21:14:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-enforce-password-complexity-on-linux\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/how-to-enforce-password-complexity-on-linux\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/how-to-enforce-password-complexity-on-linux\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/02\/how-to-enforce-password-complexity-on-linux.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/02\/how-to-enforce-password-complexity-on-linux.jpg","width":620,"height":413},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/how-to-enforce-password-complexity-on-linux\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Data Center","item":"https:\/\/www.threatshub.org\/blog\/tag\/data-center\/"},{"@type":"ListItem","position":3,"name":"How to enforce password complexity on Linux"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/39522","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=39522"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/39522\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/39523"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=39522"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=39522"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=39522"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}