How to Configure Linux Password Expiration and Complexity Policies

Linux systems allow administrators to control password aging and complexity through configuration files. The /etc/login.defs file defines password expiration parameters such as PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_MIN_LEN, and PASS_WARN_AGE. By editing this file, you can set a maximum password age (e.g., 90 days) and a warning period (e.g., 7 days) to prompt users to change passwords.

sudo vi /etc/login.defs
PASS_MAX_DAYS 90
PASS_MIN_DAYS 0
PASS_WARN_AGE 7

Default values are often very high (e.g., PASS_MAX_DAYS 99999), so the guide recommends more secure settings like PASS_MAX_DAYS 90, PASS_MIN_LEN 6. You can also modify these values with sed commands, for example:

Replace the maximum days:

sed -r -i 's/(PASS_MAX_DAYS)\s+([0-9]+)/\1 90/' /etc/login.defs

Increase minimum length:

sed -r -i 's/(PASS_MIN_LEN)\s+([0-9]+)/\1 13/' /etc/login.defs

Password Complexity via PAM

Complexity rules are enforced through PAM modules in /etc/pam.d/system-auth. On CentOS 6, pam_cracklib.so is used; on CentOS 7, pam_pwquality.so provides similar functionality. Example modifications include setting minimum length, required character classes, and remembering previous passwords:

# CentOS 6 example
password    requisite     pam_cracklib.so try_first_pass retry=3 type= minlen=8 ucredit=-2 lcredit=-4 dcredit=-1 ocredit=-1
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5

Key parameters:

retry=3 – number of attempts allowed for password change. minlen=8 – minimum password length. ucredit=-2 , lcredit=-4 , dcredit=-1 , ocredit=-1 – require at least 2 uppercase, 4 lowercase, 1 digit, and 1 special character. remember=5 – prevent reuse of the last five passwords.

Additional PAM options include difok=N (minimum differing characters from the old password), difignore=N (characters ignored before applying difok), and minclass=N (minimum number of character classes).

Disallow Reusing Recent Passwords

Ensure the line containing both password and pam_unix.so includes remember=5 to block the last five passwords, which are stored in /etc/security/opasswd:

sudo vi /etc/pam.d/system-auth
password sufficient pamunix.so sha512 shadow nullok tryfirstpass useauthtok remember=5

Set Minimum Length and Complexity

Adjust the pam_cracklib.so line to include minlen=10 and appropriate credit values to enforce required character types. For example, to require at least one uppercase, two lowercase, one digit, and one special character:

sudo vi /etc/pam.d/system-auth
password requisite pam_cracklib.so retry=3 difok=3 minlen=10 ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1

CentOS 7 Example Using pam_pwquality

Backup the original file, then edit to include desired settings:

# cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
vim /etc/pam.d/system-auth

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 minlen=12 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root

Key options are similar to pam_cracklib, with enforce_for_root ensuring the policy also applies to the root account. retry=3 – attempts allowed. minlen=12 – minimum length. lcredit=-1, ucredit=-1, dcredit=-1, ocredit=-1 – require at least one of each character type. enforce_for_root – apply policy to root.

These configurations help enforce stronger password policies, reducing the risk of compromised accounts.