This post tells how to configure Linux password policy, focussing on password expiration and complexity.
To set the default password expiration when creating new accounts on CentOS/RHEL, edit the /etc/login.defs file.
This means the maximum number of days a password may be used. Check the man page of login.defs for more options that can be used.
$ man login.defs
2. Password Complexity
The PAM module pam_cracklib can be used to force password complexity requirements. The complexity can be specified with the following options:
- Minimum password length (minlen)
- Minimum number of lower case letters (lcredit)
- Minimum number of upper case letters (ucredit)
- Minimum number of numeric characters (dcredit)
- Minimum number of non-alphanumeric characters (ocredit)
Here is an example line in /etc/pam.d/system-auth configuration file:
password required /lib/security/$ISA/pam_cracklib.so retry=3 minlen=10 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1
Given the above setting, users would be required to choose passwords that are at least 10 characters long, that have at least one lower case character, one uppercase character, one number, and one special character. Note that to require any of these characteristics a negative number is specified.