Introduction to Account Policies
Author(s): Matthias Lee (ml2322)
Last Updated: 8-13-2025
Details
Recommended Prerequisites (click to expand)
None! This is an introductory article.What is Account Policies?
Account policies refers to all system policies regerding user accounts and groups, including but not limited to things like password length and complexity, account locking, umask, and more.
Why is this important?
Account policies are important, as insecure account policies can permit insecure user accounts to exist, creating a more vulnerable attack surface. Secure account policies ensure that all user accounts meet high security standards, preventing simple attacks.
PAM
PAM, or Pluggable Authentication Modules is a piece of software that handles authentication in almost all
versions of linux. PAM is one of the key elements of account policies. Further reading on PAM is recommended
in addition to these guides.
Basic account policies
Password strength
Password strength is one of the most basic account policy settings, ensuring that all accounts have passwords
that meet length, complexity, and dictionary requirements to prevent brute force attacks. Password strength
can be enforced with PAM's pam_pwquality.so module. To get started, open up /etc/pam.d/common-password in
a text editor. Find the pwquality line. It should look something like this:
password requisite pam_pwquality.so retry=3
As of now, this line only contains retry=3, allowing 3 retries when a user is prompted for their password. Yours
may contain more options than just this. If so, great! You already have more password policies set by default. To
ensure that you're using the most secure password policy, add the following options to your pwquality line:
minlen=12 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 reject_username enforce_for_root
It should look like this:
password requisite pam_pwquality.so retry=3 minlen=12 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 reject_username enforce_for_root
This is a lot, so let's break down what each of these arguments means.
retry=3: As previously discussed, this allows 3 attempts to correctly enter your password.minlen=12: Requires passwords to be at least 12 characters longmaxrepeat=3: Only allows 3 repeated characters in the passworducredit=-1: Requires at least one uppercase letterlcredit=-1: Requires at least one lowercase letterdcredit=-1: Requires at least one numberocredit=-1: Requires at least one special character or symboldifok=3: Requires that at least 3 character changes be present when changing a passwordreject_username: Reject a password that contains or is your usernameenforce_for_root: Enforces these settings even for the root user
Password age
While not as obvious as password strength, password age is also important for account security, as if passwords
are kept too long without being changed it is more likely that they get stolen. Additionally, allowing passwords
to be changed too soon also is insecure, as it makes it easier for attackers to change someone's password. Not
to worry, as we can configure all of these settings in /etc/login.defs. To get started, open /etc/login.defs
in your text editor. Then, find the group of lines that look like this:
PASS_MAX_DAYS 9999
PASS_MIN_DAYS 0
PASS_WARN_AGE 9999
If they are commented out, uncomment them, and if you don't have them, go ahead and add them. These lines set the maximum age for a password before a user must change it, the minimum age before it can be changed, and the age at which you will be warned of your password's impending expiry. Go ahead and set them to secure values like so:
PASS_MAX_DAYS 14
PASS_MIN_DAYS 5
PASS_WARN_AGE 7