Setting up PAM and cracklib for more secure passwords

From BNL Physics Computing

One common way that BNL has been compromised has been through weak passwords. \Using PAM and cracklib it is possible to enforce password complexity. Cracklib\'s complexity requirements do not exactly follow those of BNL, however they do lead to stronger passwords by \not artificually shrinking the search space.

The following is how to set up PAM to use cracklib on (Debian) Linux which is a\uthenticating against LDAP.

[edit]

Installation

 apt-get install libpam-cracklib
[edit]

Configure

/etc/pam.d/common-password 

password required       pam_cracklib.so retry=3 minlen=12 lcredit=2 ucredit=2 ocredit=2 dcredit=2
password sufficient     pam_unix_passwd.so use_authtok
password sufficient     pam_ldap.so use_authtok
password required       pam_deny.so

The pam_cracklib line says:

  1. Allow 3 failures to choose a proper password before bailing out
  2. Require a password "length" of 12 characters
  3. Give up to 2 length credits for lower case characters
  4. Give up to 2 credits for upper case characters
  5. Give up to 2 credits for "other" characters (symbols)
Retrieved from "http://www.phy.bnl.gov/computing/index.php/Setting_up_PAM_and_cracklib_for_more_secure_passwords"