Forcing your Linux users to use strong passwords

All SysAdmins know the importance of using strong passwords. These are the life blood of our systems, since a weak password will allow an adversary to enter our systems with a minimal amount of work. There are dozens of tools that can generate strong passwords, as well as a number of tools that can be used to force users to select strong passwords when they change their passwords.

The most common way to enforce strong passwords is through the pam_cracklib.so PAM plug-in. This useful module checks the input password against a series of rules. The rules cover a wide variety of criteria, including:

1. Is the password a palindrome?

2. Is the only difference between the new and old password a change of case?

3. Is the new password similar to the old password?

4. Is the new password too small?

5. Is the new password a rotated version of the old password?

6. Does the new password contain the user’s name?

The pam_cracklib.so shared library contains a number of options to control the size and strength of the password as well as the number of times the user can retry changing their password after a failure. These options are passed to the pam_cracklib.so plug-in via one more options specified in the file for each facility you need to enforce strong passwords on. Here is one example:

$ cd /etc/pam.d && grep pam_cracklib.so password-auth
password requisite pam_cracklib.so try_first_pass retry=3 type=

All of the options are documented in the pam_cracklib(8) manual page, so I won’t go into any additional detail on them. While I was reading about this module I found out that the libcrack.so library is the heart and sole of password complexity checking, and there is a good amount of documentation that describes how to integrate this with your software. It’s also neat to see installers taking advantage of this. I recently input a weak Fedora password to see what would happen, and to my amazement Fedora immediately printed a warning tell me that I was using a weak password. We all know we need to use strong passwords, and pam_cracklib.so can ensure that you and your users are actively doing so!

4 thoughts on “Forcing your Linux users to use strong passwords”

  1. “All SysAdmins know the importance of using strong passwords. These are the life blood of our systems, since a weak password will allow an adversary to enter our systems with a minimal amount of work.”

    But very few sysadmins realize that passwords are obsolete.

    I’ve replaced all my accounts with SSH keys, so users have no passwords, they must authenticate via SSH-PKI.

    Not only does this eliminate the password hassles, since no password is ever transmitted over the wire, it is actually more secure, and my users never have to worry about forgetting their password.

    Their keys are protected by a PIN (or passphrase in SSH-speak).

    Another option would be SmartCard authentication: a PKCS11 certificate is stored on the card, which is read via an USB reader. A PIN is used to decrypt the certificate, which is then used to authenticate users not only to the system, but to all applications on the intranet. This works very well and makes life very easy for users, and the use of security systems fast and pleasant.

    Passwords are so “small shop”, and the users hate the hassle. Research the tech I described above, make it easy and more secure for everyone. Your users will thank you, and so will your employer for making the network more secure.

  2. @UX-admin — I agree with what you are saying, and I make a concerted effort to use password-less key-based authentication wherever possible. There are still systems and services where this isn’t possible, so I do my best to make sure the passwords on those systems are relatively secure. A world without passwords would be nice, but I don’t see that happening any time soon.

  3. UX-ADMIN: I too prefer DSA keys to passwords. However, I use both because I don’t really know of a good way to setup DSA keys without first having a password. I had access to an NSF supercomputer network that used this tedious GLOBUS system to get you into your account that would then allow you to setup keys, but as I said, I don’t know of a _good_ way to setup DSA keys…

Leave a Reply

Your email address will not be published. Required fields are marked *