Marc S. Weidner
d0b363d7d4
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 53s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
76 lines
3.5 KiB
INI
76 lines
3.5 KiB
INI
### Current recommendations for '/etc/security/pwquality.conf' based on common best practices, including NIST SP 800-63B,
|
|
### https://pages.nist.gov/800-63-3/sp800-63b.html and weighing usability against security.
|
|
|
|
### Configuration for systemwide password quality limits
|
|
### Defaults:
|
|
|
|
### Number of characters in the new password that must not be present in the old password.
|
|
difok = 4
|
|
|
|
### Length over complexity: Studies show that longer passphrases are significantly more resistant to brute-force and dictionary
|
|
### attacks. NIST recommends at least eight characters but advises longer passphrases (e.g., 12-64) for increased security.
|
|
### Twenty characters strike a good balance between security and user convenience. Minimum acceptable size for the new password
|
|
### (plus one if credits are not disabled, which is the default). Cannot be set to a lower value than 6.
|
|
minlen = 42
|
|
|
|
### dcredit = 0, ucredit = 0, lcredit = 0, ocredit = 0, minclass = 0
|
|
### NIST SP 800-63B advises against rigid complexity rules (numbers, symbols, uppercase) because they can lead users to adopt
|
|
### predictable patterns (e.g., "Pa$$word!"). Length and dictionary checks are more effective.
|
|
|
|
### The maximum credit for having digits in the new password. If less than 0 it is the minimum number of digits in the new
|
|
### password.
|
|
dcredit = 0
|
|
|
|
### The maximum credit for having uppercase characters in the new password. If less than 0, it is the minimum number of
|
|
### uppercase characters in the new password.
|
|
ucredit = 0
|
|
|
|
### The maximum credit for having lowercase characters in the new password. If less than 0, it is the minimum number of
|
|
### lowercase characters in the new password.
|
|
lcredit = 0
|
|
|
|
### The maximum credit for having other characters in the new password. If less than 0, it is the minimum number of other
|
|
### characters in the new password.
|
|
ocredit = 0
|
|
|
|
### The minimum number of required classes of characters for the new password (digits, uppercase, lowercase, others).
|
|
minclass = 0
|
|
|
|
### The maximum number of allowed consecutive same characters in the new password. The check is disabled if the value is 0.
|
|
maxrepeat = 4
|
|
|
|
### The maximum number of allowed consecutive characters of the same class in the new password. The check is disabled if the
|
|
### value is 0.
|
|
maxclassrepeat = 0
|
|
|
|
### Whether to check for the words from the passwd entry GECOS string of the user. The check is enabled if the value is not 0.
|
|
### gecoscheck = 0
|
|
|
|
### Whether to check for the words from the cracklib dictionary. The check is enabled if the value is not 0.
|
|
dictcheck = 1
|
|
|
|
### Whether to check if it contains the username in some form. The check is enabled if the value is not 0.
|
|
usercheck = 1
|
|
|
|
### Length of substrings from the username to check for in the password. The check is enabled if the value is greater than 0,
|
|
### and the usercheck is enabled.
|
|
usersubstr = 3
|
|
|
|
### Whether the check is enforced by the PAM module and possibly other applications. The new password is rejected if it fails
|
|
### the check, and the value is not 0.
|
|
enforcing = 1
|
|
|
|
### Path to the cracklib dictionaries. The default is to use the cracklib default.
|
|
dictpath =
|
|
|
|
### Prompt user at most N times before returning with error. The default is 1.
|
|
retry = 3
|
|
|
|
#### Enforces pwquality checks on the root user password. Enabled if the option is present.
|
|
enforce_for_root
|
|
|
|
### Skip testing the password quality for users that are not present in the '/etc/passwd' file. Enabled if the option is present.
|
|
local_users_only
|
|
|
|
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
|