Change Password Complexity Requirements

There are no password requirements by default in CentOS and Fedora, however it is very simple to add them.

  1. edit /etc/pam.d/system-auth
  2. change the line which says:

password requisite try_first_pass retry=3


password requisite try_first_pass retry=3 minlen=8 ucredit=2 dcredit=3 ocredit=-1 lcredit=1

minlen=N minimum password size
dcredit=N the maximum credit for having digits in the new password
lcredit=N the maximum credit for having lowercase in the new password
ocredit=N the maximum credit for having other characters in the new passworducredit=N the maximum credit for having uppercase in the new password
difok=N the default number of characters which need to differ from the current password

The way this works is for each character type you are defining how much of a maxium “bonus” the user gets for using it.  If you use a negative number then the it is required to contain that many of the type.  A value of lcredit=-2 means there is a requirement of at least 2 lowercase letters.  So if in the example below the minimum length is 8 so the password of “foobar” would be 6 characters long so 6 points plus 1 for using lower case giving a total score of 6 + 1 =7.  Here are some more password examples using the settings shown above:

Password Count Total Score Valid
foobar 6 + 1 7 No
Foobar 6 + 1 + 1 9 Yes
FOobar 6 + 2  + 1 10 Yes
F0obar1! 6 + 2 + 3 + 1 + 3 15 Yes



This entry was posted in CentOS, Fedora, Linux and tagged , . Bookmark the permalink.

Leave a Reply