Re: how to change the existing password settings on FC3

On 4/30/06, Stuart Sears <stuart@xxxxxxxxxxx> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ankush Grover wrote:
> On 4/30/06, Tim <ignored_mailbox@xxxxxxxxxxxx> wrote:
> But how do I define complex password security that is forcing users to
give
> atleast 1 alphanumeric character, atleast 1 upper case character and
there
> should not be any first or middle or last name in the password.
the first/middle/last name is more difficult than you imagine (unless
these things form part of a users login name)

For the other requirements:
As was suggested, PAM is your friend here. There are two password
strength checking modules that you could use here:
pam_cracklib
pam_passwdqc
You really should read the documentation here:
/usr/share/doc/pam-0*/ it's in both html and text format.
pam_passwdqc has its own docs in /usr/share/doc/pam_passwdqc-*/README

WARNING
in both of these cases you are going to be editing *very* important
system configuration files. It is fairly trivial to lock *all* users out
of your system by messing up PAM configuration, so
1) back up the original file
2) keep a proper tty (a text login console) open with root logged into
it while you work.
3) if you do mess it all up, reboot the system in single user mode and
put the backed up file back in place.

for system-wide password strength controls (ie ones that cover not only
the passwd command but also passwords changed over ssh, on first login,
using the GUI tool etc etc) you'll edit /etc/pam.d/system-auth

for pam_cracklib you will want a line a little like this:
password required pam_cracklib.so length=20 ucredit=3 \
dcredit=3 ocredit=3 lcredit=3

which means:
a strong-enough password must score at least 20 points (length= is
arguably a misnomer). the points are granted thus:
1 point per character, no matter what it is.
1 extra point per uppercase letter up to the maximum value given in
ucredit.
the same applies to lowercase (lcredit), digits (dcredit) and
non-alphanumeric chars (ocredit).

so in this case, a 20-char lowercase password is ok, but you can get
away with shorter passwords by mixing characters.
Mu?Pp3t_%5 has 10 chars
+2 for uppercase chars = 12
+3 other chars = 15
+3 lower chars = 18
+2 digits = 20 points

although this may be a little extreme. It already will check for words
based on your username or dictionary words, so you wouldn't get away
with a 20-char word from the system dictionary.
Be wary of over-strong passwords. They will be counter-productive for
ordinary users (in my experience)

pam_passwdqc is more prescriptive and permits the use of passphrases
(which I like).
password required pam_passwdqc min=disabled,16,12,14,10 \
max=30 passphrase=3

basically it takes an argument like this
min=A,B,C,D,E which represents the minimum length of passwords based on
their makeup:
A = passwords made up on one character class (ie lowercase only)
B = passwords from 2 character classes
C = characters in a passphrase
D = 3 character classes
E = 4 character classes
(incidentally, caps at the start and numbers at the end don't count!)

max = maximum possible password length
passphrase = minumum number of words that *must* be in a passphrase

there are plenty of other options too

so in the example above:
passwords must have at least 2 types of character in them
passwords from 2 classes must be 20 chars long
passphrases must be 12 chars long and contain at least 3 words
passwords with 3 typs of char must be 14 chars long
passwords using all 4 classes can be 10 chars long

RTFM for more complex (!) explanations and the massive number of other
options.

you will probably also want to permit password aging (man chage)
possibly failed login monitoring (pam_tally)

hey Mr.Stuart,


Thanks for your guidance .



Thanks & Regards

Ankush Grover --
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Relevant Pages

  • Re: Password hashes
    ... There is no such thing as an NTLMV2 hash. ... While I am a believer of enforcing complex passwords the bigger issue is if ... computers you need to review the physical security of your computers. ... > broken up into two 7 character units. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: [Full-Disclosure] Senior M$ member says stop using passwords completely!
    ... hash security. ... > generating dictionary lists using different character sets for the ... secure or it isn't, for the level of computation possible by today's ... Yes, good passwords are always a must, along with a good ...
    (Full-Disclosure)
  • Re: Someone said 256 bits is not enough
    ... the "chosen by humans" in "passphrases chosen by humans are not ... Considering about 4 bits entropy per character ... I would like to ask about passwords for myself. ...
    (sci.crypt)
  • Re: how to change the existing password settings on FC3
    ... atleast 1 alphanumeric character, atleast 1 upper case character and there ... non-alphanumeric chars. ... away with shorter passwords by mixing characters. ... B = passwords from 2 character classes ...
    (Fedora)
  • Re: 33 character encrypted passwords in /etc/shadow
    ... If the 33 character passwords look like: ... then the passwords are using M5sum instead of old DES passwords. ... Depending on the version of Red Hat Linux you are running this can come ... Linux are there. ...
    (Incidents)