Password complexity is enforced by the pam_cracklib
module.
In order to modify the password policy for your local machine, you will need to modify your /etc/pam.d/common-password
file.
From a terminal window (Ctrl+Alt+T), enter the following command:
sudo -i gedit /etc/pam.d/common-password
Add the following line to the file (before pam_unix.so
or whichever PAM module is used primarily for authentication, as can be seen from examples in the manpage) and save the file:
password requisite pam_cracklib.so ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
This statement implements the following password requirements:
dcredit
== digit
ucredit
== upper-case character
lcredit
==lower-case character
ocredit
== other character (special characters, including !
,
@
#
$
%
)
This should satisfy your requirements.
You could also use the variables minlength
and retries
to further restrict the password requirements.
Here is another good example of modifying a password policy in this manner would be placing the following line in the /etc/pam.d/common-password
file:
password requisite pam_cracklib.so retry=3 minlen=10 difok=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
This entry will set a maximum of three attempts at getting an acceptable password with a 10-character minimum length.
This sets the requirement for users to have a minimum of three characters different from the last password.
This will also fulfill the requirement of having the password contain at least one each of digit, lower-case character, and upper-case characters.
See also this article on setting up stronger password policy rules in linux.
Best Answer
Password complexity in Ubuntu is controlled by PAM. Unfortunately, PAM is "typically Unix" like in its approach. Meaning that it spreads its configuration through a large number of very confusing files.
The file that controls password complexity is:
There is a line:
Which defines the basic rules for password complexity. You can add a minimum length override by changing it to:
or whatever minimum you want. As you can see, the default already defines some basic obscurity rules. These basic rules can be seen in:
Search for "obscure".
There are a large number of pam modules that can be installed.
Should show you them.
You will need to hunt down the documenation for them I'm afraid. But the "cracklib" is a common addition.
UPDATE: I should have pointed out that the default "obscure" parameter includes tests for complexity based on previous passwords and simplicity (length, number of different types of character). The example in the manpage shows cracklib in action. Install libpam_cracklib to get that working.
Also, once you have worked out what to change, the changes are the same in other files so that you can enforce the same (or different) password checks for SSH and other applications.