Creating a password policy in Linux
Hello again! Tomorrow, classes begin in the new Linux Administrator group , and in this connection we are publishing a useful article on the topic.
In the last tutorial, we talked about how to use
')
For a long time, the usual approach to passwords was to force the user to use upper and lower case characters, numbers or other characters in them. These basic password complexity rules have been actively promoted in the last ten years. There have been many discussions about whether this is good practice or not. The main argument against the installation of such difficult conditions was that users write passwords on pieces of paper and store them unsafely.
Another policy that has recently been challenged is forcing users to change their passwords every x days. Some studies have been conducted that have shown that this is also detrimental to safety.
On the topic of these discussions, many articles were written that substantiated one or another point of view. But this is not what we will discuss in this article. This article will tell you how to correctly set the password complexity, and not manage the security policy.
Password Policy Settings
Below you will see the password policy settings and a brief description of each of them. Many of them are similar to the parameters in the
If the concept of loans sounds weird, nothing terrible, that's fine. We will talk more about this in the following sections.
Password Policy Configuration
Before you start editing configuration files, it is good practice to write down the basic password policy in advance. For example, we will use the following complexity rules:
Now, once we have set the policy, we can edit the
As you can see, some of the parameters in our file are redundant. For example, the
Once you have created your policy, you can force users to change their passwords the next time they log on.
Another weird thing you may have noticed is that the fields
What are loans?
I call them loans, because it conveys their purpose as accurately as possible. If the parameter value is greater than 0, you add the number of “credits per characters” equal to “x” to the password length. For example, if all the parameters
If you set
Take a look at this example. I set the password length to 13, set the dcredit to 2, and everything else to 0.
My first check failed because the password length was less than 13 characters. The next time I changed the letter “I” to the number “1” and received two credits for numbers, which equated the password to 13.
Password testing
The
The
The password quality score is related to the
Conclusion
Setting up
Sources:
pwquality man page
pam_pwquality man page
pwscore man page
Useful links:
Choosing Secure Passwords - Bruce Schneier
Lorrie Faith Cranor discusses her password studies at CMU
The Infamous xkcd cartoon on Entropy
In the last tutorial, we talked about how to use
pam_cracklib to complicate passwords on Red Hat 6 or CentOS systems. In Red Hat 7, pam_pwquality replaced cracklib as the pam module for checking passwords. The pam_pwquality module pam_pwquality also supported in Ubuntu and CentOS, as well as in many other operating systems. This module simplifies the creation of password policies to ensure that users accept your password complexity standards. ')
For a long time, the usual approach to passwords was to force the user to use upper and lower case characters, numbers or other characters in them. These basic password complexity rules have been actively promoted in the last ten years. There have been many discussions about whether this is good practice or not. The main argument against the installation of such difficult conditions was that users write passwords on pieces of paper and store them unsafely.
Another policy that has recently been challenged is forcing users to change their passwords every x days. Some studies have been conducted that have shown that this is also detrimental to safety.
On the topic of these discussions, many articles were written that substantiated one or another point of view. But this is not what we will discuss in this article. This article will tell you how to correctly set the password complexity, and not manage the security policy.
Password Policy Settings
Below you will see the password policy settings and a brief description of each of them. Many of them are similar to the parameters in the
cracklib module. This approach simplifies porting your policies from the old system.- difok - The number of characters in your new password that should NOT be present in your old password. (Default 5)
- minlen - Minimum password length. (Default 9)
- ucredit - The maximum number of credits for using uppercase characters (if the parameter is> 0), or the minimum required number of uppercase characters (if the parameter is <0). The default is 1.
- lcredit - Maximum number of credits for using lowercase characters (if parameter> 0), or the minimum required number of lowercase characters (if parameter <0). The default is 1.
- dcredit - Maximum number of credits for using digits (if parameter> 0), or minimum required number of digits (if parameter <0). The default is 1.
- ocredit - The maximum number of credits for using other characters (if the parameter is> 0), or the minimum required number of other characters (if the parameter is <0). The default is 1.
- minclass - Sets the number of required classes. Classes include the above parameters (upper case, lower case characters, numbers, other characters). The default is 0.
- maxrepeat - The maximum number of repetitions of a character in a password. The default is 0.
- maxclassrepeat - The maximum number of consecutive characters in a single class. The default is 0.
- gecoscheck - Checks if the password contains any words from the user's GECOS lines. (User information, i.e. real name, location, etc.) Default 0 (disabled).
- dictpath - Let cracklib dictionaries.
- badwords - Space -separated words that are prohibited in passwords (Company name, the word "password", etc.).
If the concept of loans sounds weird, nothing terrible, that's fine. We will talk more about this in the following sections.
Password Policy Configuration
Before you start editing configuration files, it is good practice to write down the basic password policy in advance. For example, we will use the following complexity rules:
- The password must have a minimum length of 15 characters.
- In the password, the same character should not be repeated more than two times.
- In a password, character classes can be repeated up to four times.
- The password must contain characters from each class.
- A new password must have 5 new characters compared to the old one.
- Enable GECOS checking.
- Prohibit the words "password, pass, word, putorius"
Now, once we have set the policy, we can edit the
/etc/security/pwquality.conf file to increase the password complexity requirements. Below is an example of a file with comments for better understanding. # Make sure 5 characters in new password are new compared to old password difok = 5 # Set the minimum length acceptable for new passwords minlen = 15 # Require at least 2 digits dcredit = -2 # Require at least 2 upper case letters ucredit = -2 # Require at least 2 lower case letters lcredit = -2 # Require at least 2 special characters (non-alphanumeric) ocredit = -2 # Require a character from every class (upper, lower, digit, other) minclass = 4 # Only allow each character to be repeated twice, avoid things like LLL maxrepeat = 2 # Only allow a class to be repeated 4 times maxclassrepeat = 4 # Check user information (Real name, etc) to ensure it is not used in password gecoscheck = 1 # Leave default dictionary path dictpath = # Forbid the following words in passwords badwords = password pass word putorius As you can see, some of the parameters in our file are redundant. For example, the
minclass parameter minclass redundant since we already use at least two characters from the class using the [u,l,d,o]credit fields. Our list of words that cannot be used is also redundant, since we have forbidden the repetition of any class 4 times (all words in our list are written with lowercase letters). I enabled these options only to demonstrate how to use them to configure password policies.Once you have created your policy, you can force users to change their passwords the next time they log on.
Another weird thing you may have noticed is that the fields
[u,l,d,o]credit contain a negative number. This is because numbers greater than or equal to 0 will give credit for using the character in your password. If the field contains a negative number, this means that a certain amount is required.What are loans?
I call them loans, because it conveys their purpose as accurately as possible. If the parameter value is greater than 0, you add the number of “credits per characters” equal to “x” to the password length. For example, if all the parameters
(u,l,d,o)credit set to 1, and the required password length is 6, then you will need 6 characters to meet the length requirement, because each character is upper case, lower case, digit or another character will give you one loan.If you set
dcredit to 2, you can theoretically use a password of 9 characters in length and get 2 credits per character for numbers and then the password can already be 10.Take a look at this example. I set the password length to 13, set the dcredit to 2, and everything else to 0.
$ pwscore Thisistwelve Password quality check failed: The password is shorter than 13 characters $ pwscore Th1sistwelve 18 My first check failed because the password length was less than 13 characters. The next time I changed the letter “I” to the number “1” and received two credits for numbers, which equated the password to 13.
Password testing
The
libpwquality package provides the functionality described in the article. It also comes with the pwscore program, which is designed to check the password for complexity. We used it above to check loans.The
pwscore utility reads from stdin . Just run the utility and write your password, it will give an error or a value from 0 to 100.The password quality score is related to the
minlen parameter in the configuration file. In general, an indicator less than 50 is considered as a “normal password”, and above - as a “strong password”. Any password that passes quality checks (especially a forced cracklib check) must withstand dictionary attacks, and a password with a score above 50 with the minlen setting by default even a brute force attack.Conclusion
Setting up
pwquality is easy and simple compared to the inconvenience of using cracklib with direct editing of pam files. In this guide, we covered everything you need when setting up password policies in Red Hat 7, CentOS 7, and even Ubuntu systems. We also talked about the concept of loans, which are rarely written in detail, so this topic has often remained incomprehensible to those who have not previously encountered it.Sources:
pwquality man page
pam_pwquality man page
pwscore man page
Useful links:
Choosing Secure Passwords - Bruce Schneier
Lorrie Faith Cranor discusses her password studies at CMU
The Infamous xkcd cartoon on Entropy
Source: https://habr.com/ru/post/448996/
All Articles