Configure PAM to enforce strong, system-wide password rules and reject weak credentials at the point of change. 21.11.2025 | reading time: 2 min PAM controls authentication on Linux; this short guide shows how to enforce password complexity with pam_pwquality so the system rejects weak passwords when users change them. Hands-on example: enforce complexity Add a pam_pwquality rule and test it; commands and a failed passwd attempt follow: ```bash sudo cp /etc/pam.d/common-password /tmp/common-password.bak sudo bash -c 'echo "password requisite pam_pwquality.so retry=3 minlen=12 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 enforce_for_root" >> /etc/pam.d/common-password' sudo bash -c 'echo "minlen = 12" > /etc/security/pwquality.conf' sudo bash -c 'echo "dcredit = -1" >> /etc/security/pwquality.conf' sudo useradd -m tester || true sudo passwd tester Changing password for tester. New password: weakpass BAD PASSWORD: it is based on a dictionary word Retype new password: ``` Tweak parameters and behavior Change values such as minlen, dcredit, ucredit, lcredit and ocredit to require digits, upper/lowercase and symbols; use retry to limit attempts and enforce_for_root to include root, and consider combining pam_unix with the "obscure" option for additional checks. When policy alone is not enough Combine password complexity with account lockout and aging: use faillock or pam_tally2 for brute-force protection, and chage to enforce expiration and rotation so old, possibly compromised passwords are retired. Next steps and certification Once the policy works in a test account, roll it out carefully to production and log the impact; keep experimenting, read the pam_pwquality and libpwquality docs, and consider pursuing CompTIA Linux+ or LPIC-1 preparation, for example with bitsandbytes.academy, to turn this knowledge into certified skills. Join Bits & Bytes Academy First class LINUX exam preparation. security setup troubleshooting
