Hack 31 Create an Effective, Reusable Password Policy

Traditionally, it has been difficult for a Unix administrator to create and enforce a reusable password policy. Fortunately, PAM addresses this.

If you're using FreeBSD 5.0 or higher, your system has a PAM (Pluggable Authentication Modules) module specifically designed to assist in the creation and enforcement of a reusable password policy. If you're running a different version of BSD, see the end of this hack for other sources for this module.

3.9.1 Introducing pam_passwdqc

Before using this module, spend some time reading man pam_passwdqc, as it thoroughly covers each option and its possible values. Any values contained within parentheses are defaults. As you read through this manpage, compare those defaults with your own network's security policy and make note of any values that will require a change.

This PAM module is fairly comprehensive, allowing you to enable many of the features expected in a password policy. Here's an overview of the configurable features:

• Minimum and maximum password lengths

• Force a mix of digits, lowercase, uppercase, symbols, and non-ASCII characters

• Minimum number of words in a passphrase

• Minimum number of characters to consider as a string (dictionary word)

• Ability to search for strings that are words written backwards, or are words written in a mix of upper- and lowercase

• Check new password for similar string contained within old password

• Suggest a randomly generated password

• Setting to either warn about weak passwords or enforce strong passwords

• How many times a user is allowed to retry setting a password if he fails to choose a strong password

3.9.2 Enabling pam_passwdqc

Once you've finished perusing the manpage, you should have a list of values that you'll want to modify to reflect your network's security policy. Enabling pam_passwdqc is simply a matter of adding or editing a line so that it contains your customized options.

On FreeBSD 4.x, add that line to the password section of /etc/pam.conf. On 5.x, edit instead the password section of /etc/pam.d/passwd. Let's look at that file on a FreeBSD 5.1 system:

# more /etc/pam.d/passwd # $FreeBSD: src/etc/pam.d/passwd,v 1.1 2002/04/15 03:01:31 des Exp $ # PAM configuration for the "passwd" service # passwd(1) does not use the auth, account or session services. # password #password        requisite        pam_passwdqc.so        enforce=users password        required        pam_unix.so        no_warn try_first_pass

Obviously, you'll need to uncomment the pam_passwdqc.so line to enable the module. Note the one included option, enforce=users, overrides the default setting of enforce=everyone.

Let's see what happens when I remove that remark and then try to use passwd as a regular user named test. Even though passwords aren't echoed to the terminal, I've shown in this output the passwords that I typed in:

% passwd  Changing local password for test Old Password: test You can now choose the new password or passphrase. A valid password should be a mix of upper and lower case letters, digits and other characters.  You can use an 8 character long password with characters from at least 3 of these 4 classes, or a 7 character long password containing characters from all the classes.  Characters that form a common pattern are discarded by the check. A passphrase should be of at least 3 words, 12 to 40 characters long and contain enough different characters. Alternatively, if noone else can see your terminal now, you can pick this as your password: "inward!smell:Milan".

As you can see, the password policy is provided, along with an example of a strong password that meets the policy requirements. Except for that one option, this particular policy includes the default settings mentioned in man pam_passwdqc.

Enter new password: test Weak password: is the same as the old one. Try again.

Here I tried to use the same password. Even worse, it doesn't meet any of the password policy's requirements. However, pam_passwdqc rejected the password, gave me another try, and patiently repeated the password policy along with another password suggestion:

You can now choose the new password or passphrase. A valid password should be a mix of upper and lower case letters, digits and other characters.  You can use an 8 character long password with characters from at least 3 of these 4 classes, or a 7 character long password containing characters from all the classes.  Characters that form a common pattern are discarded by the check. A passphrase should be of at least 3 words, 12 to 40 characters long and contain enough different characters. Alternatively, if noone else can see your terminal now, you can pick this as your password: "Sony,seed,cereal". Enter new password: test1  Weak password: too short. Try again.

Well, I tried another variation of my old password, but it is still too short. Here we go again:

You can now choose the new password or passphrase. A valid password should be a mix of upper and lower case letters, digits and other characters.  You can use an 8 character long password with characters from at least 3 of these 4 classes, or a 7 character long password containing characters from all the classes.  Characters that form a common pattern are discarded by the check. A passphrase should be of at least 3 words, 12 to 40 characters long and contain enough different characters. Alternatively, if noone else can see your terminal now, you can pick this as your password: "torso&lotus_burly". Enter new password: test1234 Weak password: not enough different characters or classes for this length. passwd: pam_chauthtok( ): authentication token failure %

Looks like the default retry count is three, as I was booted out after three tries. This time the password was long enough at eight characters, but only contained numbers and lowercase characters. The instructions clearly state that an eight-character password needs a mix of three different types of characters.

It's important to note that if the superuser changes a user's password, she will receive the same error messages if the password does not comply with the policy. However, after the error message, the superuser will be asked to retype that poor password and it will be accepted. Why? Because of that enforce=users option. If you remove that option, it will default back to enforce=everyone, which requires even the superuser to choose good passwords. The method you choose will depend upon the security requirements of your password policy.

3.9.3 Adding Your Own Options

It's easy to change the default settings. Simply add your option to the end of the pam_passwdqc.so line. Then, test your change as a regular user to see what effect it has. You may want to create a test account for just this purpose.

For example, to force users to choose a password that is 10 characters long and a mix of uppercase letters, lowercase letters, numbers, and symbols, set N4 to 10 and disable the other options. Don't know what N4 is? Better reread that section of the manpage before changing this parameter.

password  requisite  pam_passwdqc.so \ min=disabled,disabled,disabled,disabled,10

Or, to force users to use the randomly picked password:

password        requisite        pam_passwdqc.so        random=42,only

Here I've used the default random value of 42. You can experiment by increasing that number until the randomly generated passwords meet your strength requirements. Settings much higher than 70 may produce error messages; this is what the end user will see:

System configuration error. Please contact your administrator. passwd: pam_chauthtok(1): authentication token failure

The superuser will see:

This system is configured to use randomly generated passwords only, but the attempt to generate a password has failed. This could happen for a number of reasons: you could have requested an impossible password length, or the access to kernel random number pool could have failed. passwd: pam_chauthtok(1): authentication token failure

That's your hint to choose a lower random number.

Once you've settled on a reasonable number, this is what users will see when they change their passwords:

% passwd Changing local password for test Old Password: You can now choose the new password. This system is configured to permit randomly generated passwords only.  If noone else can see your terminal now, you can pick this as your password: "lounge-mummy:cellar-dozen".  Otherwise, come back later. Enter new password:

A user who hates that password can retry a few times to see other possibilities. Pressing Enter will generate another random password. Typing in anything other than the randomly generated password will cause the password change to fail.

3.9.4 Additional Configuration

You may have noticed that pam_passwdqc does not control how often a user is forced to change his password. Set this instead in /etc/login.conf. Besides the actual expiry period, you can also change the amount of advance warning users will receive about an impending password change.

If you make any changes to /etc/login.conf, test your changes by immediately logging in at another terminal. A typo in this file can prevent logins to a system!

For example, adding these lines to the default:\ section will set a password expiry of 30 days, giving 5 days warning:

:warnpassword=5d:\ :passwordtime=30d:\

If one of those entries happens to be the final entry in the default:\ section, don't include the trailing \ in that last entry.

Don't forget to rebuild the database once you've saved your changes:

# cap_mkdb /etc/login.conf

3.9.5 See Also

• man pam_passwdqc

• man login.conf

• The Pluggable Password Checking web site (http://www.openwall.com/passwdqc/README.shtml)

• The PAM Essentials section of the FreeBSD Handbook (http://www.freebsd.org/doc/en_US.ISO8859-1/articles/pam/index.html)