Password policies

A separate password policy protects the system against the use of weak passwords. Determine the length and complexity of the user passwords used and follow the recommendations below:

To define a password policy, edit /etc/pam.d/passwd as follows:

doas ee /etc/pam.d/passwd

Remove the "#" at the beginning of the line

password    requisite    pam_passwdqc.so        enforce=users

and add entries for the pam_passwdqc module as required:

password    requisite    pam_passwdqc.so min=disabled,disabled,disabled,disabled,10 similar=deny retry=3 en-force=users

Five values can be set behind pam_passwdqc, since five password categories are predefined for this module. Categories include password complexity requirements, such as combinations of special characters, lowercase and uppercase letters, and numbers. Each digit after pam_passwdqc.s can either be disabled or given a number for the required password length and represents one of the following password categories:

• Passwords of one character class are allowed, i.e. passwords consisting only of numbers or lowercase or uppercase letters
• Passwords consisting of two character classes are allowed, i.e. passwords that consist of lowercase and uppercase letters, for example
• Passphrases are allowed, i.e. strings of characters that can be separated by spaces
• Passwords consisting of three password categories, e.g. lowercase and uppercase letters and numbers.
• Passwords consisting of four password categories, i.e. lowercase and uppercase letters as well as numbers and characters.

So the example shown only allows passwords consisting of four password categories and 10 characters. The "similiar" also defines whether a new password may be similar to the old password. "retry" describes how often pam_passwdqc prompts for a new password when the user fails to choose a new password according to the password policy.

For more information on configuring password policies, visit https://www.freebsd.org/cgi/man.cgi?query=pam_passwdqc