Linux Password Quality Control in PAM module

Password quality control, to the limited extent that it really matters, is now best done with pampwquality.so and pampwhistory.so.

Be careful. Use of pam_pwhistory.so means that you now must also protect /etc/security/opasswd as that contains information on users' old passwords which will give you very useful hints as to what their later passwords will look like.

pam_pwquality.so can be configured with parameters within the PAM files, but a better approach would be to customize it within /etc/security/pwquality.conf so that every program handling password changes uses the same rules.

In the past, pamcracklib.so was the only thing you could count on being there in any distribution. Then pampasswdqc.so came along. They are still available, although pam_pwquality.so is now the best tool. However, people used to setting up password policies on Windows will be unhappy with all of them as none allow you to rigidly enforce a password policy exactly the same way you can in Windows. Just set something and move forward as password security is largely an illusion.

Source: cromwell-intl.com

Tien Phan

Read more posts by this author.

Subscribe to

Get the latest posts delivered right to your inbox.

or subscribe via RSS with Feedly!