Operating System - Linux
1839272 Members
4874 Online
110138 Solutions
New Discussion

Re: Change password policy

 
nash11
Frequent Advisor

Change password policy

When I force the user to change the password , the user will prompt the message (BAD PASSWORD: it is based on a dictionary word) , I understand this is a security reason to probit simple password , but if I want to disable this restriction ( that means the linux system allow any dictionary word ) , what can I do ? thx.
12 REPLIES 12
Vitaly Karasik_1
Honored Contributor

Re: Change password policy

just comment (or remove) line with "pam_cracklib" from /etc/pam.d/system-auth
nash11
Frequent Advisor

Re: Change password policy

thx Vitaly Karasik

If remove this line , the system will allow any kind of password that means all insecure password eg. too short , too simple , similiar password are allowed , if I only want to disable the restriction (BAD PASSWORD: it is based on a dictionary word) , what can I do ? thx
Steven E. Protter
Exalted Contributor

Re: Change password policy

Shalom nash,

crack uses dictionary words in many languages as part of its method of cracking passwords.

By making the configuration change the dictionary word warning should stop happening.

Its a bad idea to do this and might make you fail a SOX audit.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
nash11
Frequent Advisor

Re: Change password policy

thx reply ,

I would like to have one more requirement , the default password length is at least 7 characters, if I want to change the default setting , that the system accept the password length is 6 characters , what can i do ? thx
Vitaly Karasik_1
Honored Contributor

Re: Change password policy

you can change it in /etc/login.defs
peterchu
Super Advisor

Re: Change password policy

thx reply,

I check the setting is "5" now , I think it is default value , but I found that the current Minimum acceptable password length is 7 , what is wrong ? and if change the file "/etc/login.defs" , do I need to restart any service ? thx.
peterchu
Super Advisor

Re: Change password policy

thx reply ,

the password length is Ok now , thx for help.

I would like to ask again , now my system accept the numerics only or characters only password , for example , the password can be 741852 ( all numerics ) or poiuyt ( all characters ) , if I want to control the password MUST have BOTH characters AND numerics , what can I do ? thx
George Liu_4
Trusted Contributor

Re: Change password policy

I think you should write the pam modules by yourself
Ryan Goh
Frequent Advisor

Re: Change password policy

Password Length, Complexity and Password Space :
Uset the PAM pam_cracklib.so module. Access a sample /etc/pam.d/system-auth file here. As a privileged user, modify the pam_cracklib.so parameters in the sample file to implement the system password policy. Relevant parameters are:
minlen: Establishes a minimum acceptable length for user generated passwords. Works in conjunction with the *credit parameters.
difok: Establishes the minimum number of characters by which a new password must differ from the previous password.
lcredit, ucredit, dcredit, and ocredit (lower, upper, digit, other character classes, respectively): Establishes the number of "credits" in a new password for a particular character class, which can be used to modify the minimum required password length for sufficiently "complex" user selections, or to implement password complexity rules. *credit has a default value of 1, which works to reduce the minimum length requirement (minlen) by 1 character for each character class the user chooses in a new password. Thus, by default, if minlen = 8, users can get away with, say, 6 character passwords if they choose characters from 3 out of 4 of the character sets. Setting *credit values to 0 disables the reduction of minlen . Setting minlen < 0 establishes the minimum number of characters from the particular character class that must appear in the new password
Ryan Goh
Frequent Advisor

Re: Change password policy

For more information on password policy for linux, I think this is a good link, http://nisswg.hawaii.edu/Public/Procedures/Config/RedHat/RedHat-config.html
Ryan Goh
Frequent Advisor

Re: Change password policy

Modify the line with pam_cracklib.so in /etc/pam.d/system-auth file as "password required /lib/security/pam_cracklib.so retry=3 minlen=6". The path for pam_cracklib.so might be different.

There are four predefined control flags you can use:
required â The module result must be successful for authentication to continue. If a required module result fails, the user is not notified until results on all modules referencing that interface are completed.

requisite â The module result must be successful for authentication to continue. However, if a requisite module result fails, the user is notified immediately with a message reflecting the first failed required or requisite module.

sufficient â The module result is ignored if it fails. But, if a sufficient flagged module result is successful and no required flagged modules above it have failed, then no other results are required and the user is authenticated to the service.

optional â The module result is ignored if it fails. If the module result is successful, it does not play a role in the overall success or failure for the module interface. A module flagged as optional becomes necessary for successful authentication when there are no other modules referencing that interface. In this case, an optional module determines the overall PAM authentication for that interface.

Vitaly Karasik_1
Honored Contributor

Re: Change password policy

nash11, please remember about assigning points!