password policy with pam_cracklib

cracklib pam module is method to check the password against dictionary list and gives you availability to check the strength of the password and set rules to identify the poor passwords

 

here is the most important parameters for this module

  1.  minlen minimal password length
  2. dcredit maximum number of digits
  3. ucredit maximum upper case letters
  4. lcredit maximum lower case letters
  5. ocredit maximum other letters not similer to the old one
  6. maxrepeat limit repeated letters
  7. reject_username check if the username inside the password to avoid this week accounts bob/bob or bob/bob123
  8. enforce_for_root this is the most important one , why ? , because if you didn’t apply it users will just notice the warrning and whatever password will be applied with the parameter will force the use to use our policy 😉
  9. dicpath set crack lib dictionary to specific passwords database base i recommend (rockyyou) database coz it contains many leaked passwords and used by  many attackers to bruteforce the system example dicpath=/var/wordlist/rockyyou.txt

 

time to deploy our password policy

we want to apply this for new password also we can force the users to update their passwords once they do login via this command

this command  have high impact  it will find all users with bash shell and  force them to update the password even the root  u can exclude the root by piping the output from grep and use grep -v root

example result

we will use the passwd module inside /etc/pam.d/passwd

to add our new policy

 

here is the output of different failed password change

BAD PASSWORD: is too similar to the old one
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: it is based on a (reversed) dictionary word
BAD PASSWORD: it is too short

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*