How to Configure Linux Password Expiration and Complexity Rules

Linux password expiration settings

You can control password expiration via the /etc/login.defs file. Edit the file to set variables such as PASS_MAX_DAYS, PASS_MIN_DAYS, and PASS_WARN_AGE. The default values are very high (e.g., 99999 days), while recommended settings are 90 days for maximum age, 0 for minimum days, and a 7‑day warning.

sudo vi /etc/login.defs
PASS_MAX_DAYS 150
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
# These settings require users to change passwords every 6 months with a 7‑day advance warning.

Default values:

PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_MIN_LEN    5
PASS_WARN_AGE   7

Recommended values:

PASS_MAX_DAYS   90
PASS_MIN_DAYS   0
PASS_MIN_LEN    6
PASS_WARN_AGE   7

You can also modify these settings with sed:

sed -r -i 's/(PASS_MAX_DAYS)\s+([0-9]+)/\1 90/' /etc/login.defs

# set max days to 90

sed -r -i 's/(PASS_MIN_LEN)\s+([0-9]+)/\1 13/' /etc/login.defs

# set minimum length to 13

Linux password complexity rules

Password complexity is enforced through the PAM configuration file /etc/pam.d/system-auth (effective for regular users; root may be exempt). On CentOS 6 the default module is pam_cracklib.so; on CentOS 7 the pam_pwquality.so module is used.

# Example modification for CentOS 6
password    requisite     pam_cracklib.so try_first_pass retry=3 type= minlen=8 ucredit=-2 lcredit=-4 dcredit=-1 ocredit=-1
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5

Key parameters:

retry=3 – number of allowed attempts when changing a password. type=xxx – placeholder for the password prompt text. minlen=8 – minimum password length. ucredit=-2 – at least two uppercase letters. lcredit=-4 – at least four lowercase letters. dcredit=-1 – at least one digit. ocredit=-1 – at least one special character. remember=5 – disallow reuse of the last five passwords.

Additional options:

difok=N – require at least N characters to differ from the old password. difignore=N – number of characters ignored before applying difok (default 23). minclass=N – minimum number of character classes (uppercase, lowercase, digit, special) required.

Disallow reuse of old passwords

In /etc/pam.d/system-auth ensure the line containing pam_unix.so includes remember=5. This prevents the last five passwords from being reused and stores old passwords in /etc/security/opasswd.

sudo vi /etc/pam.d/system-auth
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5

Set minimum password length

Locate the line with pam_cracklib.so and add minlen=10. The effective minimum length is calculated as minlen – number_of_character_classes. With all four classes present, a minlen=10 setting allows a 6‑character password.

sudo vi /etc/pam.d/system-auth
password requisite pam_cracklib.so retry=3 difok=3 minlen=10

Common complexity configuration

Ensure the line with pam_cracklib.so includes the following credits to require at least one uppercase, two lowercase, one digit, and one special character:

sudo vi /etc/pam.d/system-auth
password requisite pam_cracklib.so retry=3 difok=3 minlen=10 ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1

CentOS 7 example using pam_pwquality

# Backup original file
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
vim /etc/pam.d/system-auth

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 minlen=12 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root
password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 minlen=10 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root

retry=3 – allowed attempts.

minlen=12 – minimum length (example).

lcredit=-1 – at least one lowercase letter.

ucredit=-1 – at least one uppercase letter.

dcredit=-1 – at least one digit.

ocredit=-1 – at least one special symbol (e.g., @, #, !, $).

enforce_for_root – apply the policy to the root account as well.

Another sample rule:

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 minlen=13 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root