How to set password policy on Linux

User account management is one of the most critical jobs of system admins. In particular, password security should be considered the top concern for any secure Linux system. In this tutorial, I will describe how to set password policy on Linux.

I assume that you are using PAM (Pluggable Authentication Modules) on your Linux system, which is the case on all recent Linux distros.


Install a PAM module to enable cracklib support, which can provide additional password checking capabilities.

On Debian, Ubuntu or Linux Mint:

$ sudo apt-get install libpam-cracklib

The cracklib PAM module is installed by default on CentOS, Fedora, or RHEL. So no further installation is necessary on those systems.

To enforce password policy, we need to modify an authentication-related PAM configuration file located at /etc/pam.d. Policy change will take effect immediately after change.

Note that the password rules presented in this tutorial will be enforced only when non-root users change passwords, but not the root.

Prevent Reusing Old Passwords

Look for a line that contains both "password" and "", and append "remember=5" to that line. It will prevent five most recently used passwords (by storing them in /etc/security/opasswd).

On Debian, Ubuntu or Linux Mint:

$ sudo vi /etc/pam.d/common-password
password     [success=1 default=ignore] obscure sha512 remember=5

On Fedora, CentOS or RHEL:

$ sudo vi /etc/pam.d/system-auth
password   sufficient sha512 shadow nullok try_first_pass use_authtok remember=5

Set Minimum Password Length

Look for a line that contains both "password" and "", and append "minlen=10" to that line. This will enforce a password of length (10 - <# of types>), where <# of types> indicates how many different types of characters are used in the password. There are four types (upper-case, lower-case, numeric, and symbol) of characters. So if you use a combination of all four types, and minlen is set to 10, the shorted password allowed would be 6.

On Debian, Ubuntu or Linux Mint:

$ sudo vi /etc/pam.d/common-password
password   requisite retry=3 minlen=10 difok=3

On Fedora, CentOS or RHEL:

$ sudo vi /etc/pam.d/system-auth
password   requisite retry=3 difok=3 minlen=10

Set Password Complexity

Look for a line that contains "password" and "", and append "ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1" to that line. This will force you to include at least one upper-case letter (ucredit), two lower-case letters (lcredit), one digit (dcredit) and one symbol (ocredit).

On Debian, Ubuntu or Linux Mint:

$ sudo vi /etc/pam.d/common-password
password   requisite retry=3 minlen=10 difok=3 ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1

On Fedora, CentOS or RHEL:

$ sudo vi /etc/pam.d/system-auth
password   requisite retry=3 difok=3 minlen=10 ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1

Set Password Expiration Period

To set the maximum period of time the current password is valid, edit the following variables in /etc/login.defs.

$ sudo vi /etc/login.defs

This will force every user to change their password once every six months, and send out a warning message seven days prior to password expiration.

If you want to set password expiration on per-user basis, use chage command instead. To view password expiration policy for a specific user:

$ sudo chage -l xmodulo
Last password change                                    : Dec 30, 2013
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

By default, a user's password is set to never expire.

To change the password expiration period for user xmodulo:

$ sudo chage -E 6/30/2014 -m 5 -M 90 -I 30 -W 14 xmodulo

The above command will set the password to expire on 6/30/2014. In addition, the minimum/maximum number of days between password changes is set to 5 and 90 respectively. The account will be locked 30 days after a password expires, and a warning message will be sent out 14 days before password expiration.

Download this article as ad-free PDF (made possible by your kind donation): 
Download PDF

Subscribe to Xmodulo

Do you want to receive Linux FAQs, detailed tutorials and tips published at Xmodulo? Enter your email address below, and we will deliver our Linux posts straight to your email box, for free. Delivery powered by Google Feedburner.

Support Xmodulo

Did you find this tutorial helpful? Then please be generous and support Xmodulo!

The following two tabs change content below.
Dan Nanni is the founder and also a regular contributor of He is a Linux/FOSS enthusiast who loves to get his hands dirty with his Linux box. He likes to procrastinate when he is supposed to be busy and productive. When he is otherwise free, he likes to watch movies and shop for the coolest gadgets.

11 thoughts on “How to set password policy on Linux

  1. By all things holy, use cracklib (or similar) to check password safety and turn every other idiot check off. If you have a password generator you don't need to make sure every single one of them is 7$sghRT# because absolutely nothing else will pass the idiot checks. Everything else is just making sure that the password will be either

    a) P@ssword5
    b) on a post it (best solution. Deal.)
    c) you will be called every Monday to reset the password

  2. Your example works great except if I'm root or changing another user's password as root. Is there a way to include root into the password policy?

  3. Hi,

    Thanks for sharing such information. However I need more help on this.
    How can I store the last used passwords for some particular number of days so that password cannot be repeated too frequently?


  4. I followed your instructions on my centos server, but I still could give root a simple password like 123 after I made all the changes.

    is there anything I could check on?

  5. How can I stop the authconfig from overwriting the password-auth / system-auth. Can authconfig be turned off? Cannot find a way to do that

Leave a comment

Your email address will not be published. Required fields are marked *