How to Customize Linux Password Expiration and Complexity Requirements

Asset ID:	1-71-819113.1
Update Date:	2018-02-08
Keywords:

Solution Type Technical Instruction Sure

Solution 819113.1 : How to Customize Linux Password Expiration and Complexity Requirements

Applies to:

Linux OS - Version 2.4 and later
Exadata X3-2 Hardware - Version All Versions and later
Linux x86-64
Linux x86
*** Reviewed for currency on 2017-02-08

Goal

This note tells how to configure Linux password policy, focussing on password expiration and complexity.

Solution

1. Password Expiration

To set the default password expiration when creating new accounts on Oracle Linux, edit the /etc/login.defs file.

PASS_MAX_DAYS 100

Which means the maximum number of days a password may be used. Please run:

$ man login.defs

for more options can be set in /etc/login.defs.

2. Password Complexity

The PAM module pam_cracklib can be used to force password complexity requirements. The complexity can be specified with the following options:

Minimum password length (minlen)
Minimum number of lower case letters (lcredit)
Minimum number of upper case letters (ucredit)
Minimum number of numeric characters (dcredit)
Minimum number of non-alphanumeric characters (ocredit)

Here is an example line in /etc/pam.d/system-auth:

password required /lib/security/$ISA/pam_cracklib.so retry=3 minlen=10 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1

Given the above setting, users would be required to choose passwords that are at least 10 characters long, that have at least one lower case character, one uppercase character, one number and one special character. Note that to require any of these characteristics a negative number is specified.

Attachments

This solution has no attachment