The pam_cracklib module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_cracklib.so options. * retry=3 - Allow 3 tries before sending back a failure. * minlen=14 - password must be 14 characters or more * dcredit=-1 - provide at least one digit * ucredit=-1 - provide at least one uppercase character * ocredit=-1 - provide at least one special character * lcredit=-1 - provide at least one lowercase character * enforcing=1 - will force user to follow the password policy rule The setting shown above is one possible policy. Alter these values to conform to your own organizations password policies. Rationale: Strong passwords protect systems from being hacked through brute force methods. Fix: Set the following parameters as mentioned below in /etc/security/pwquality.conf: minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 enforcing=1 Set retry paramter as following in /etc/pam.d/common-password: password required pam_cracklib.so retry=3

[-2/-1/0, -2/-1/0, -2/-1/0, -2/-1/0, 3 attempts, minimum length 14 or more]

Set the following parameters as mentioned below in /etc/security/pwquality.conf: minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 enforcing=1 Set retry paramter as following in /etc/pam.d/common-password: password required pam_cracklib.so retry=3