How to Configure Linux Password Expiration and Complexity Policies
This guide explains how to set password expiration periods, minimum length, complexity requirements, and reuse restrictions on Linux systems by editing /etc/login.defs and PAM configuration files with concrete examples and recommended values.
Linux allows administrators to control password aging and complexity through the /etc/login.defs file and PAM modules such as pam_cracklib.so or pam_pwquality.so. By editing these files, you can enforce password expiration, minimum length, character class requirements, and reuse limits.
Password Expiration Settings
Edit /etc/login.defs and set the following variables:
PASS_MAX_DAYS 150 # maximum days a password is valid
PASS_MIN_DAYS 0 # minimum days between changes (usually 0)
PASS_WARN_AGE 7 # days before expiration to warn the userDefault values are PASS_MAX_DAYS 99999, PASS_MIN_DAYS 0, PASS_MIN_LEN 5, PASS_WARN_AGE 7. Recommended settings are PASS_MAX_DAYS 90, PASS_MIN_DAYS 0, PASS_MIN_LEN 6, PASS_WARN_AGE 7.
You can modify these values with sed commands, for example:
sed -r -i 's/(PASS_MAX_DAYS)\s+[0-9]+/\1 90/' /etc/login.defssed -r -i 's/(PASS_MIN_LEN)\s+[0-9]+/\1 13/' /etc/login.defsPassword Complexity via PAM
For CentOS 6, edit /etc/pam.d/system-auth and replace the existing lines with:
password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 ucredit=-2 lcredit=-4 dcredit=-1 ocredit=-1
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=5Key parameters: retry=3 – number of allowed attempts. minlen=8 – minimum password length. ucredit=-2 – at least 2 uppercase letters. lcredit=-4 – at least 4 lowercase letters. dcredit=-1 – at least 1 digit. ocredit=-1 – at least 1 special character. remember=5 – prevent reuse of the last 5 passwords.
Additional PAM options include: difok=N – require at least N characters to differ from the old password. difignore=N – number of characters to ignore before applying difok. minclass=N – minimum number of character classes (uppercase, lowercase, digit, special).
CentOS 7 Example with pam_pwquality
Backup the original file and edit /etc/pam.d/system-auth:
# cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
vim /etc/pam.d/system-auth
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 minlen=12 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 minlen=10 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_rootThese settings enforce a minimum length of 10–12 characters, require at least one uppercase letter, one lowercase letter, one digit, and one special symbol, and apply the policy even for the root user.
Example: password requisite pam_pwquality.so try_first_pass local_users_only retry=3 minlen=13 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Liangxu Linux
Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.