Implementing Operating System Password Policies

Implementing a password policy lets you harden your operating system by enforcing strong passwords for all operating system logins. Password policies are enforced using the pam_passwdqc.so RPM.

This applies to all versions of TufinOS, CentOS, and RHEL.

In Red Hat Enterprise Linux 7 default configuration file for password complexity is as follows. Some of these requirements are based on a credit-based system which is used by the system to evaluate the complexity of the password.

  • Requirement 1: Keep history of passwords used

    In the files /etc/pam.d/system-auth and /etc/pam.d/password-auth add the following (after pam_pwquality.so ):

    password requisite pam_pwhistory.so remember=5 use_authtok

  • Requirement 2: Set minimum password length

    In the file /etc/security/pwquality.conf add the following:

    minlen = 9

    The password must have this number of characters (plus one) in addition to sufficient credits as defined in requirements 3-6

  • Requirement 3: Minimum number of digits required to receive credit

    In the file /etc/security/pwquality.conf add the following:

    dcredit = -1

  • Requirement 4: Minimum number of uppercase characters required to receive credit

    In the file /etc/security/pwquality.conf add the following:

    ucredit = -1

  • Requirement 5: Maximum number of credits for having lowercase characters

    In the file /etc/security/pwquality.conf add the following:

    lcredit = 1

  • Requirement 6: Maximum number of credits for having other (special) characters

    In the file /etc/security/pwquality.conf add the following:

    ocredit = 1

    The examples in requirements 3-6 are for illustration purposes only. You can set a different value as follows:

    • A negative value sets the number of characters required to receive credit, for example ucredit = -1 indicates that there must be at least 1 uppercase character.
    • A positive value is the maximum credit for including the character, for example lcredit = 1 indicates that there is a credit of 1 for including lowercase characters.
    • A value of 0 indicates that there is no requirement

  • Requirement 7: Minimum number of required character classes (digits, uppercase, lowercase, and others)

    In the file /etc/security/pwquality.conf add the following:

    minclass = 1

  • Requirement 8: Maximum number of consecutive same characters

    In the file /etc/security/pwquality.conf add the following:

    maxrepeat = 2

  • Requirement 9: Maximum number of consecutive characters of the same class

    In the file /etc/security/pwquality.conf add the following:

    maxclassrepeat = 2

  • Requirement 10: Maximum number of characters in the new password that must not be present in the old password

    In the file /etc/security/pwquality.conf add the following:

    difok = 5

  • Requirement 11: Enforce root for password complexity.

    In the files /etc/pam.d/system-auth and /etc/pam.d/password-auth add the following to pam_pwquality.so:

    enforce_for_root

  • Requirement 12: Lock out the root user

    In the files /etc/pam.d/system-auth and /etc/pam.d/password-auth add the following below to the auth section:

    auth required pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=1200 root_unlock_time=600

  • To prevent a user from being locked out after multiple failed logins, add the user names above pam_faillock as follows:

    auth [success=1 default=ignore] pam_succeed_if.so user in <user1>:<user2>:<user3>

See pam_passwdqc man page for a description of the password policy options implemented above, and for additional password policy options available.