To enforce the password length, we can use /etc/login.defs
PASS_MIN_LEN 8next time when user changes password, anything shorter than 8 characters will be rejected.
To enforce the password complexity, we have to make sure it consists of uppercase, lowercase, special characters, and digits. This can be easily done through the use of PAM.
$ man pam_cracklib
So to force at least 1 lowercase character in the password, we should use negative number, lcredit=-1
- (N >= 0) This is the maximum credit for having lower case letters in the new password.
(N < 0) This is the minimum number of lower case letters that must be met for a new password.
To enforce a password having at least 4 lower cases, 2 upper cases, 1 special character, and 1 digit, we can update the /etc/pam.d/system-auth
password requisite pam_cracklib.so dcredit=-1 ucredit=-2 lcredit=-4 ocredit=-1