Skip to main content

Password Complexity Rules in Ubuntu 20.04

By June 24, 2022September 12th, 2022No Comments

Welcome to this blog and video where we will investigate the default password complexity in Ubuntu 20.04. As administrators we benefit from understanding the way passwords are managed and their complexity rules so we can help explain this to our users. Additionally, we will learn to adjust the rules to match the systems security needs.

I think we have all probably struggled trying to set new passwords, they are not long enough, not complex enough or maybe too complex. Don’t you just hate it when you can’t use punctuation in a password. That is certainly one of my pet hates. Using Ubuntu 20.04, the default complexity requires that we have at least 6 characters and we need a mix of characters and numbers. Additionally, there are rules that check how similar it is to the existing password.

The rules are set inside of the file: /etc/pam.d/common-password, The line that controls the password looks like this by default:

password [success=1 default=ignore] obscure sha512

The work to set the password complexity is being done by the pam_unix module and the two set options, obscure and sha512. The last option is the most easy to understand, the password is hashed with the SHA512 algorithm. The obscure option, is exactly that, obscure!. It is this that sets the complexity requirement. We can search the man page for pam_unix and directly look for the obscurer word:

$ man pam_unix | less +/obscure
Enable some extra checks on password strength. These checks are based on the "obscure" checks in the original
shadow package. The behavior is similar to the pam_cracklib module, but for non-dictionary-based checks. The
following checks are implemented:
   Verifies that the new password is not a palindrome of (i.e., the reverse of) the previous one.

  Case Change Only
   Verifies that the new password isn't the same as the old one with a change of case.

   Verifies that the new password isn't too much like the previous one.

   Is the new password too simple? This is based on the length of the password and the number of different types
of characters (alpha, numeric, etc.) used.

   Is the new password a rotated version of the old password? (E.g., "billy" and "illyb")

Being able to search directly from the command line is a useful trick, so practice it.

If we need to simplify passwords on the system we can reduce the password length from 6 to 4 in this case requirement and remove the obscure checks.

password [success=1 default=ignore] minlen=4 sha512

This is just an example and not necessarily advised. We are now able to simple passwords such as: 1234

We may also want to increase the security; this of course, means adding in the obscure checks again but we could also increase the length and record password history so we can’t use previously used passwords.

password [success=1 default=ignore] minlen=8 obscure remember=10 sha512

The option remember=1, tells PAM to store the last 10 passwords of each user. This will be in the file /etc/security/opasswd.