Enforcing password complexity on CentOS

The pam_pwquality (previously pam_cracklib) module is used to check password complexity against a set of rules. It checks if the password is found in a dictionary; if not, it will continue with additional checks.

The config file is /etc/security/pwquality.conf but, if in use, it can be configured in /etc/pam.d/system-auth.

To add the password policies, just add the options you need in system-auth, on pam_pwquality.so line:

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=16 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1
  • minlen – minimum password lenght
  • lcredit – minimum number of lowercase letters
  • ucredit – minimun numer of uppercase letters
  • dcredit – minium number of digits
  • ocredit – minimum number of special characters

In this case, -1 means that the password must have at least one character of that type. You can change this number as you prefer.

If you need to enforce the policies even for the root user, use the enforce_for_root option.

You can also add policies using the authconfig command:

authconfig --enablereqlower --enablerequpper --enablereqdigit --enablereqother --passminlen=8 --update