How to force users to use secure passwords on Ubuntu/Debian Linux

My Linux shell user can modify their password using the passwd command. How can I force users to choose the secure password that will prevent users from using stupid passwords like “abc123”, “password”, “123456” and so on? How do I setup password quality requirements on my Debian or Ubuntu Linux server?

You need to install libpam_cracklib package which includes a PAM module that tests passwords to make sure they are not too weak during password change while using the passwd command on Linux.

Securing passwords with libpam_cracklib

The strength libpam_cracklib checks works in the following manner. At first the Cracklib routine is called to check if the password is part of a dictionary; if this is not the case an additional set of strength checks is done. These checks are:

  1. Is the new password a palindrome?
  2. Is the new password the the old one with only a change of case?
  3. Is the new password too much like the old one? This is primarily controlled by one argument, difok which is a number of character changes (inserts, removals, or replacements) between the old and new password that are enough to accept the new password. This defaults to 5 changes.
  4. Is the new password too small? This is controlled by 6 arguments minlen, maxclassrepeat, dcredit, ucredit, lcredit, and ocredit.
  5. Is the new password a rotated version of the old password?
  6. Optional check for same consecutive characters.
  7. Optional check for too long monotonic character sequence.
  8. Optional check whether the password contains the user’s name in some form.

The /etc/passwd file and /etc/shadow file are used on Linux to store user information including passwords.


Type the following command to install libpam_cracklib on an Ubuntu or Debian Linux based system:
$ sudo apt install libpam-cracklib
$ sudo apt-get install libpam-cracklib
Sample outputs:

Fig.01: Install a PAM module called Cracklib


You need to edit the file /etc/pam.d/common-password, enter:
$ sudo cp /etc/pam.d/common-password /root/
$ sudo nano /etc/pam.d/common-password

$ sudo cp /etc/pam.d/common-password /root/
$ sudo vi /etc/pam.d/common-password

Now you can force users to have strong passwords that contain complex characters including lowercase, digits, uppercase, spacial characters and punctuation. Locate the line:

password        requisite              retry=3 minlen=8 difok=3

And update it as follows:

password        requisite              retry=3 minlen=16 difok=3 ucredit=-1 lcredit=-2 dcredit=-2 ocredit=-2


  • retry=3 : Prompt user at most 3 times before returning with error. The default is 1.
  • minlen=16 : The minimum acceptable size for the new password.
  • difok=3 : This argument will change the default of 5 for the number of character changes in the new password that differentiate it from the old password.
  • ucredit=-1 : The new password must contain at least 1 uppercase characters.
  • lcredit=-2 : The new password must contain at least 2 lowercase characters.
  • dcredit=-2 : The new password must contain at least 2 digits.
  • ocredit=-2 : The new password must contain at least 2 symbols.

Negative (N>0) vs Positive (N<0) numbers in an option

Of course, these are sample values. The negative number such as -2 (e.g. ucredit=-2) indicates that this is the minimum number of upper case letters that must set a new password. The positive number is the maximum credit for having digits in the new password. If you have less than or N digits, each digit will count +1 towards meeting the current minlen value. The default for dcredit is 1 which is the recommended value for minlen less than 10. You may need to change/adjust these values as per your setup to avoid brute force attack.

Test it

Now if user try to setup a new simple (weak) password:
$ sudo passwd vivek
New password:
BAD PASSWORD: it is too short
BAD PASSWORD: is too simple
Retype new password:
Sorry, passwords do not match.
New password:
BAD PASSWORD: it is WAY too short
BAD PASSWORD: is a palindrome
Retype new password:
Sorry, passwords do not match.
New password:

Here is a sample password that will pass our requirements:

[email protected]



And there you have it, secure password set automatically using security checks and constraints using libpam-cracklib on Debian or Ubuntu Linux system.

Posted by: SXI ADMIN

The author is the creator of SXI LLC and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.