If you’ve never deployed password quality checking on your Debian-based Linux system, you can check it out now. The Cylix Linux software runs on Debian 8.7.1 and up, and while we’re making sure your notes are encrypted, we want to help you ensure that your systems are safe too.
The settings for password quality check is not straightforward, but it is highly sophisticated. It is one of the little flexible features of Linux for which we’re grateful.
You have to install the relevant library first. To do so, use the command:
apt-get -y install libpam-pwquality
You’ll find most of the settings will be in the file named /etc/pam.d/command-password.
Complexity settings to keep your Linux software safe
You may set minimum password length to 12 using complexity settings, but it doesn’t work as you’d expect. Users may get away with eight character passwords if they’ve got credit for other forms of password complexity.
Using the complexity settings, you can also define rules for system users to set passwords:
• Uppercase, lowercase
• Other special characters
• A mix of these
• Restriction on times the same character can be used
• Restriction on reusing a password, etc.
Some of the self-explanatory keywords that the settings include are minlen, minclass, maxrepeat, maxclassrepeat, lcredit, ucredit, dcredit, ocredit, difok, remember.
Note that class here refers to a type of characters, such as Uppercase, Lowercase, Digits, etc.
An example of robust password complexity settings
Using the system of credits, you can enforce suitable complexity in the passwords that users create. Users will earn credits when their passwords meet the conditions you set. So, for example, if you set minlen = 12, the password “erpkjdtcbmsl” may pass. But if you set dcredit = 3, then even “erpkjdtcb198” will pass, since you get three credits for digits. So a total of 9 credits for length plus three for digits equals 12 credits for length, which gives minlen = 12.
Here’s another interesting feature of the complexity checker. If you set dcredit, lcredit, ucredit or ocredit to negative values, then you can make sure the user includes at least one of these character classes for the password to be accepted.
For example, in the above example, if you set dcredit to -1, then the password would have to include at least one digit to pass. What the negative sign does is to disable the credit, so that credits from other compliances don’t cancel out the requirement for a digit.
Using minclass, you can restrict users to making sure that they use characters from your prescribed number of classes. So, for instance, if the value is 2, then system users can create a password incorporating characters from two categories, such as uppercase and digits.
This password complexity checker is only for regular users. Root users will be able to set any password they want. Once you’ve set the preferences, you should enter a password and make sure that the settings are working.
We believe a good password should be at least fourteen characters long, to be unbreakable. Eight characters may no longer cut it. And this rule can apply to the passwords you create for your notes on Cylix Linux software as well.