User Password Policies

Password policies on Ubuntu are enforced through two mechanisms: password aging (how long a password is valid, how often it can be changed) controlled by chage and /etc/login.defs, and password complexity (minimum length, character types) enforced by PAM modules. Setting these correctly is especially important on servers exposed to multiple users or under compliance requirements.

Password aging with chage

# View all aging settings for a user
sudo chage -l irfan

chage -l output

Last password change                : Jun 01, 2024
Password expires                    : never
Password inactive                   : never
Account expires                     : never
Minimum number of days between pass : 0
Maximum number of days between pass : 99999
Number of days of warning before exp: 7
# Set password maximum age (expire after 90 days)
sudo chage -M 90 irfan

# Set minimum days between password changes (prevent rotating back)
sudo chage -m 7 irfan

# Set warning period before expiry
sudo chage -W 14 irfan

# Set inactivity period (lock account if not logged in after expiry)
sudo chage -I 30 irfan

# Set account expiry date
sudo chage -E 2025-12-31 irfan

# Remove account expiry (set to -1)
sudo chage -E -1 irfan

# Force password change on next login
sudo chage -d 0 irfan    # Sets "last change" to epoch 0

Password complexity with pam_pwquality

Password complexity requirements are enforced by the pam_pwquality PAM module. The configuration file is /etc/security/pwquality.conf.

# Install pam_pwquality (usually pre-installed)
sudo apt install libpam-pwquality

# Configure password complexity
sudo nano /etc/security/pwquality.conf

/etc/security/pwquality.conf — recommended settings

# Minimum password length
minlen = 12

# Require at least 1 digit
dcredit = -1

# Require at least 1 uppercase
ucredit = -1

# Require at least 1 lowercase
lcredit = -1

# Require at least 1 special character
ocredit = -1

# Reject passwords that match username
usercheck = 1

# How many retries before failing
retry = 3

# Reject if new password contains sequences of the old one
difok = 5
# Verify the PAM configuration includes pwquality
grep -n "pam_pwquality" /etc/pam.d/common-password

Expected output

password        requisite       pam_pwquality.so retry=3

System-wide defaults in login.defs

# /etc/login.defs sets defaults for NEW accounts only
# (Does not affect existing accounts — use chage for those)
sudo nano /etc/login.defs

Key settings in /etc/login.defs

PASS_MAX_DAYS   90     # Maximum password age (days)
PASS_MIN_DAYS   7      # Minimum days between changes
PASS_WARN_AGE   14     # Days warning before expiry
PASS_MIN_LEN    8      # Minimum length (overridden by pam_pwquality)

UID_MIN         1000   # Minimum UID for regular users
UID_MAX         60000
GID_MIN         1000
GID_MAX         60000
# Apply login.defs values to existing accounts (bulk update)
# Run this to enforce aging on all non-system accounts
for user in $(awk -F: '$3 >= 1000 && $1 != "nobody" {print $1}' /etc/passwd); do
    sudo chage -M 90 -m 7 -W 14 "$user"
    echo "Updated: $user"
done

Checking password strength manually

# Test a password against pwquality rules without changing anything
pwscore <<< "TestPassword123!"

pwscore output (0-100 quality score)

80
# Install cracklib tools for additional checking
sudo apt install libcrack2 cracklib-runtime

# Check if a password would be rejected
echo "password123" | cracklib-check

Password history

# Prevent reusing the last 5 passwords
# Edit /etc/pam.d/common-password and add remember=5 to the pam_unix line
sudo nano /etc/pam.d/common-password

Line to modify in /etc/pam.d/common-password

# Find the line with pam_unix.so and add remember=5:
password   [success=1 default=ignore]   pam_unix.so obscure use_authtok try_first_pass sha512 remember=5

Conclusion

Enforce password complexity through /etc/security/pwquality.conf and password aging through chage for individual users or /etc/login.defs for system defaults. Set PASS_MAX_DAYS 90 and PASS_WARN_AGE 14 in login.defs for new accounts. Run a bulk chage update script to apply aging to all existing standard user accounts. Combine with MFA (pam_google_authenticator) for systems requiring strong authentication.

FAQ

Is User Password Policies important for Ubuntu administrators?+

Yes. It supports practical Ubuntu administration because it connects directly to server reliability, security, troubleshooting, or daily operations.

Should I practice this on a live server?+

Use a lab VM first. After you understand the command output and rollback path, apply the workflow carefully on real systems.

What should I do after reading this article?+

Run the practice commands, write down what each one shows, and continue to the next article in the Ubuntu roadmap.

Need help with Ubuntu administration?

Work directly with Muhammad Irfan Aslam for Ubuntu Server, Linux, cloud, Docker, DevOps, CI/CD, or infrastructure troubleshooting support.

Hire Me for Support