Status: Deprecated

This article covers a version of CentOS that is no longer supported. If you are currently operating a server running CentOS 6, we highly recommend upgrading or migrating to a supported version of CentOS.

Reason: CentOS 6 reached end of life (EOL) on November 30th, 2020 and no longer receives security patches or updates. For this reason, this guide is no longer maintained.

See Instead:
This guide might still be useful as a reference, but may not work on other CentOS releases. If available, we strongly recommend using a guide written for the version of CentOS you are using.

About Password Policy

Password policy is a set of rules that must be satisfied when a system user is setting a password. Password policy is an important factor in computer security since user passwords are too often the main reason for computer system security breach. This is why most companies and organizations incorporate password policy into the company official regulations. All users and user passwords must comply to official company password policy.

Password policy usually defines:

• Password Aging
• Password Length
• Password Complexity
• Number of Login Failures
• Number of Re-Used Password to Deny

Step 1: Configuring /etc/login.defs — Aging and Length

Password aging controls and password length are defined in /etc/login.defs file. Password aging refers to the maximum number of days password may be used, minimum number of days allowed between password changes, and number of warning days before the password expires. Password length refers to the number of characters needed to have for the password to be allowed. To configure password aging controls and password length, edit /etc/login.defs file and set PASS values according to your company password policy.

The password aging controls and password length do not affect existing users, they only affect newly created users!

• PASS_MAX_DAYS - Maximum number of days a password may be used.
• PASS_MIN_DAYS - Minimum number of days allowed between password changes.
• PASS_MIN_LEN - Minimum acceptable password length.
• PASS_WARN_AGE - Number of days warning given before a password expires.

Example configuration file /etc/login.defs:

#
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#

# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
# QMAIL_DIR is for Qmail
#
#QMAIL_DIR Maildir
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail

# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 90
PASS_MIN_DAYS 2
PASS_MIN_LEN 9
PASS_WARN_AGE 14

...

Step 2: Configuring /etc/pam.d/system-auth — Complexity and Re-Used Passwords

By editing /etc/pam.d/system-auth configuration file, we can configure the password complexity and number of re-used passwords to deny. Password complexity refers to the complexity of the characters used in the password and number of re-used passwords to deny refers to denying the desired number of passwords the user used in the past. By setting password complexity, we can force a user to use the desired number of capital characters, lower case characters, numbers and symbols in a password. If the password complexity standards are not satisfied, the password will not be accepted by the system.

• Force Capital Characters In Passwords - ucredit=-X, where X is the number of capital characters required in password
• Force Lower Case Characters In Passwords - lcredit=-X, where X is the number of lower case characters required in password
• Force Numbers In Passwords - dcredit=-X, where X is the number numbers required in password
• Force The Use Of Symbols In Passwords - ocredit=-X, where X is the number of symbols required in password

password requisite pam_cracklib.so try_first_pass retry=3 type= ucredit=-2 lcredit=-2 dcredit=-2 ocredit=-2

• Deny Re-Used Passwords - remember=X, where X is the number of past passwords to deny

password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5

Example configuration file /etc/pam.d/system-auth:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type= dcredit=-2 ucredit=-2 lcredit=-2 ocredit=-2
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so

Step 3: Configuring /etc/pam.d/password-auth — Login Failures

The number of login failures is set in /etc/pam.d/password-auth file. Number of login failures refers to the number of failed logins a user can make before his account is locked out. When the account is locked out, a system administrator can unlock the account. To configure the number of login failures, two new lines need to be added to /etc/pam.d/password-auth file. The parameter "deny=X" (where X is the number of login failures) configures the number of login failures permitted before the account is locked.

auth required pam_tally2.so deny=3
account required pam_tally2.so

Example configuration file /etc/pam.d/system-auth:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_tally2.so deny=3
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account required pam_tally2.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so