There are no password requirements by default in CentOS and Fedora, however it is very simple to add them.
- edit /etc/pam.d/system-auth
- change the line which says:
password requisite pam_cracklib.so try_first_pass retry=3
to
password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 ucredit=2 dcredit=3 ocredit=-1 lcredit=1
NOTES:
minlen=N minimum password size
dcredit=N the maximum credit for having digits in the new password
lcredit=N the maximum credit for having lowercase in the new password
ocredit=N the maximum credit for having other characters in the new passworducredit=N the maximum credit for having uppercase in the new password
difok=N the default number of characters which need to differ from the current password
The way this works is for each character type you are defining how much of a maxium “bonus” the user gets for using it. If you use a negative number then the it is required to contain that many of the type. A value of lcredit=-2 means there is a requirement of at least 2 lowercase letters. So if in the example below the minimum length is 8 so the password of “foobar” would be 6 characters long so 6 points plus 1 for using lower case giving a total score of 6 + 1 =7. Here are some more password examples using the settings shown above:
| Password | Count | Total Score | Valid |
|---|---|---|---|
| foobar | 6 + 1 | 7 | No |
| Foobar | 6 + 1 + 1 | 9 | Yes |
| FOobar | 6 + 2 + 1 | 10 | Yes |
| F0obar1! | 6 + 2 + 3 + 1 + 3 | 15 | Yes |