Information
The pam_passwdqc.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more based on the following options set in the /etc/security/passwdqc.conf:
min=disabled,disabled,disabled,disabled,14 - The password must be 14 characters or more and consists of four character classes.
max=40 - The maximum allowed password length is 40.
passphrase=3 - The number of words required for a passphrase is at least 3.
match=4 - The length of common substring required to conclude that a password is at least partially based on information found in a character string is 4.
similar=deny - The password that is similar to the old one is going to be denied.
random=47 - The size of randomly-generated passphrases in bits is 47.
enforce=everyone - Warn everyone for weak passwords.
retry=3 - Let the user provide a password 3 times if the user fails to provide a sufficiently strong password and enter it twice the first time.
For more details, refer to pam_passwdqc module documentation. The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies.
Rationale:
Strong passwords protect systems from being hacked through brute force methods.
Solution
Edit the file /etc/security/passwdqc.conf and add or modify the following lines for password length and complexity to conform to site policy:
min=disabled,disabled,disabled,disabled,14
max=40
passphrase=3
match=4
similar=deny
random=47
enforce=everyone
retry=3
Edit the /etc/pam.d/system-auth files to include the appropriate options for pam_passwdqc.so and to conform to site policy:
passwordrequiredpam_passwdqc.so config=/etc/security/passwdqc.conf
Additional Information:
Consult your documentation for the appropriate PAM file and module.
Additional module options may be set, recommendation requirements only cover including try_first_pass and minlen set to 14 or more.
Settings in /etc/security/pwquality.conf must use spaces around the = symbol.