1. Password Expiration
To set the default password expiration when creating new accounts on CentOS/RHEL, edit the /etc/login.defs file.
Which means the maximum number of days a password may be used. Please check man page of login.defs for more options that can be set in /etc/login.defs.:
$ man login.defs
2. Password Complexity
The PAM module pam_cracklib can be used to force password complexity requirements. The complexity can be specified with the following options:
- Minimum password length (minlen)
- Minimum number of lower case letters (lcredit)
- Minimum number of upper case letters (ucredit)
- Minimum number of numeric characters (dcredit)
- Minimum number of non-alphanumeric characters (ocredit)
Here is an example line in /etc/pam.d/system-auth:
password required /lib/security/$ISA/pam_cracklib.so retry=3 minlen=10 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1
Given the above setting, users would be required to choose passwords that are at least 10 characters long, that have at least one lower case character, one uppercase character, one number and one special character. Note that to require any of these characteristics a negative number is specified.