☀️ Light Mode
Home » Blog » Securing Linux Systems with PWQuality

Securing Linux Systems with PWQuality

Securing Linux Systems with PWQuality
Darnell December 30, 2025 0
Implementing Strong Password Complexity on Linux

Implementing Strong Password Complexity on Linux

Strengthen your Linux systems with robust password policies using libpam-pwquality

Weak passwords remain one of the most common attack vectors in cybersecurity. Linux systems by default often allow users to set simple, easily guessable passwords that can compromise entire systems. Implementing robust password complexity requirements using libpam-pwquality provides a critical layer of defense against brute force attacks and credential compromise.

This guide demonstrates how to configure comprehensive password complexity policies on Ubuntu and RHEL/AlmaLinux systems to enforce strong authentication practices across your environment.

Prerequisites

  • Administrative access to modify system configuration files
  • Basic understanding of PAM (Pluggable Authentication Modules)
  • Knowledge of password security best practices

How Password Complexity Works

libpam-pwquality enforces password quality through:

  • Minimum length requirements
  • Character class diversity (uppercase, lowercase, digits, special characters)
  • Dictionary word prevention
  • Repetition and pattern restrictions

Credit System

Positive values: Reduce minimum length requirements when character types are used

Negative values: Mandate minimum character requirements regardless of length

Common Requirements:

minlen 12      # Minimum 12 characters
dcredit -1     # Must contain at least 1 digit
ucredit -1     # Must contain at least 1 uppercase letter
ocredit -1     # Must contain at least 1 special character

Current System Defaults

Ubuntu

  • No password complexity enforcement by default
  • libpam-pwquality installed but not configured
  • Users can set simple passwords like “123456”

RHEL/AlmaLinux

  • Basic pwquality configuration present
  • Minimal complexity requirements
  • Often insufficient for security-conscious environments

Try it yourself:

Check Current Configuration

# Check if pwquality is installed
dpkg -l | grep libpam-pwquality  # Ubuntu
rpm -qa | grep pwquality         # RHEL/AlmaLinux
# View current configuration
cat /etc/security/pwquality.conf
# Test current password requirements
passwd  # Try setting a weak password

Installation and Configuration

Ubuntu

# Install pwquality if not present
sudo apt update
sudo apt install libpam-pwquality
# Verify PAM integration
grep pam_pwquality /etc/pam.d/common-password

RHEL/AlmaLinux

# Install pwquality tools
sudo dnf install libpwquality-tools
# Verify PAM integration
grep pam_pwquality /etc/pam.d/system-auth

Password Policy Configuration

Edit /etc/security/pwquality.conf:

sudo vim /etc/security/pwquality.conf

Recommended Configuration

# Minimum password length
minlen = 12
# Character type requirements (negative = mandatory minimum)
dcredit = -1    # Must have at least 1 digit
ucredit = -1    # Must have at least 1 uppercase letter
lcredit = -1    # Must have at least 1 lowercase letter
ocredit = -1    # Must have at least 1 special character
# Character class requirements
minclass = 4    # Must use all 4 character types
# Repetition controls
maxrepeat = 2   # Maximum consecutive identical characters
# Security checks
dictcheck = 1   # Check against dictionary words
usercheck = 1   # Prevent username in password
# Apply to root user (optional but recommended)
enforce_for_root

Testing and Verification

Test Password Complexity

# Test with various weak passwords
passwd testuser
# Try these weak examples:
# "password123"     - Should fail (dictionary word)
# "Password"        - Should fail (too short, no digits/special)
# "Pass123"         - Should fail (too short)
# "PASSWORD123!"    - Should fail (no lowercase)
# Valid strong password example:
# "MySecure2024!@#" - Should succeed

Verify Error Messages

Expected error messages:

  • “BAD PASSWORD: The password is shorter than 12 characters”
  • “BAD PASSWORD: The password lacks an uppercase letter”
  • “BAD PASSWORD: it is based on a dictionary word”
  • “BAD PASSWORD: contains the user name in some form”

PAM Configuration

Ubuntu PAM Setup

# Ensure PAM integration exists
grep "pam_pwquality.so" /etc/pam.d/common-password
# Should show:
# password requisite pam_pwquality.so retry=3

RHEL/AlmaLinux PAM Setup

# Verify system-auth integration
grep "pam_pwquality.so" /etc/pam.d/system-auth
# Should show:
# password requisite pam_pwquality.so try_first_pass local_users_only retry=3

Conclusion

Implementing robust password complexity requirements using libpam-pwquality significantly strengthens Linux system security by preventing weak password selection. The configuration takes effect immediately without requiring system restarts, making it ideal for production environments.

Key Takeaways

  • Password complexity is enforced immediately upon configuration
  • Root users can override policies by design for emergency access
  • Balance security requirements with user productivity
  • Combine with other security measures like account lockouts and multi-factor authentication

Remember: Strong password policies are just one component of comprehensive security—implement alongside proper access controls, regular updates, and security monitoring for maximum protection.

Securing Linux Systems with PWQuality
Securing Linux Systems with PWQuality

Related Articles
🚧 Site under development – content may change
Courses

Security Fundamentals

Cloud Security

Network Security

Identity & Access

NAXS Labs
Logo