On most Linux systems, you can use PAM (the “pluggable authentication module”) to enforce password complexity. If you have a file named /etc/pam.d/system-auth on RedHat (/etc/pam.d/common-password on Debian systems), look for lines that look like those shown below.
$ grep password /etc/pam.d/system-auth password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password required pam_deny.so
That’s what you should expect to see on a new system.
By default, passwords must have at least six characters (see /etc/login.defs for possible changes). This is hardly long enough by current standards to consider passwords to be secure. You will have a much stronger password complexity policy if you change the first line to something like this, requiring longer passwords and ensuring a degree of complexity as well.
password requisite pam_cracklib.so try_first_pass retry=3 minlength=12 lcredit=1 ucredit=1 dcredit=1 ocredit=1 difok=4
Here’s what each of the available parameters does:
try_first_pass = sets the number of times users can attempt setting a good password before the passwd command aborts minlen = establishes a measure of complexity related to the password length (more in a moment on this) lcredit = sets the minimum number of required lowercase letters ucredit = sets the minimum number of required uppercase letters dcredit = sets the minimum number of required digits ocredit = sets the minimum number of required other characters difok = sets the number of characters that must be different from those in the previous password
That said, minlen is actually a measure of complexity, not simply length. It specifies a complexity score that must be reached for a password to be deemed as acceptable. If each character in a password added one to the complexity count, then minlen would simply represent the password length but, if some characters count more than once, the calculation is more complex. So let’s see how this works.