Enforcing Password Complexity on CentOS/RedHat

From Peter Pap's Technowiki
Jump to: navigation, search

Edit the file /etc/pam.d/system-auth and change these two lines:

 password    requisite     pam_cracklib.so try_first_pass retry=3 type=
 password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok

to:

 password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=9 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=3
 password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=10

This will mean:

 minlen=9 the minimum password length
 lcredit=-1 minimum of 1 lowercase
 ucredit=-1 minimum 1 uppercase
 dcredit=-1 minimum 1 decimal character (number)
 ocredit=-1 minimum 1 special character (punctuation etc)
 difok=3 enforces no less than 3 character difference between password changes.
 remember=10 remembers the last 10 password changes so they can't be repeated.

And yes, it's -1!!