5.4.1 Ensure password creation requirements are configured - 'minlen'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


The pam_pwquality.so module checks the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options.

The following options are set in the /etc/security/pwquality.conf file:

Password Length:

minlen = 14 - password must be 14 characters or more

Password complexity:

minclass = 4 - The minimum number of required classes of characters for the new password (digits, uppercase, lowercase, others)


dcredit = -1 - provide at least one digit

ucredit = -1 - provide at least one uppercase character

ocredit = -1 - provide at least one special character

lcredit = -1 - provide at least one lowercase character

The following is st in the /etc/pam.d/common-password file:

retry=3 - Allow 3 tries before sending back a failure. The settings shown above are one possible policy. Alter these values to conform to your own organization's password policies.


Strong passwords protect systems from being hacked through brute force methods.


Run the following command to install the pam_pwquality module:

apt install libpam-pwquality

Edit the file /etc/security/pwquality.conf and add or modify the following line for password length to conform to site policy

minlen = 14

Edit the file /etc/security/pwquality.conf and add or modify the following line for password complexity to conform to site policy

minclass = 4


dcredit = -1
ucredit = -1
ocredit = -1
lcredit = -1

Edit the /etc/pam.d/common-password file to include the appropriate options for pam_pwquality.so and to conform to site policy:

password requisite pam_pwquality.so retry=3

Additional Information:

Additional module options may be set, recommendation requirements only cover including try_first_pass and minlen set to 14 or more.

Settings in /etc/security/pwquality.conf must use spaces around the = symbol.

See Also