How to Set Up Password Expiration and Policies in Debian 12 Bookworm

In this article, we will explore how to set up password expiration and other password-related policies on a Debian 12 Bookworm system.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  4 minute read  

Ensuring strong password policies is a fundamental aspect of securing a Debian 12 Bookworm system. Implementing password expiration policies can help mitigate security risks by enforcing periodic password changes and reducing the likelihood of credential compromise. In this article, we will explore how to set up password expiration and other password-related policies on a Debian 12 Bookworm system.

Why Password Policies Are Important

Password policies help enforce security best practices, reducing the risk of unauthorized access. Some key reasons to implement password policies include:

  • Preventing unauthorized access by ensuring passwords are changed regularly.
  • Reducing the risk of password guessing attacks by enforcing complexity rules.
  • Encouraging strong passwords through length and complexity requirements.
  • Complying with organizational security policies that mandate password expiration and resets.

Understanding Debian 12’s Password Policy Mechanism

Debian 12 Bookworm provides tools to enforce password expiration and complexity rules. The key utilities include:

  • passwd – Used to manage password aging and expiration settings.
  • chage – Used to set and view password aging policies for users.
  • pam_pwquality – A Pluggable Authentication Module (PAM) used for password complexity rules.
  • /etc/login.defs – A configuration file that defines system-wide password aging policies.
  • /etc/security/pwquality.conf – A configuration file for setting password complexity rules.

Let’s go through each of these tools and how they can be used to configure password policies on Debian 12.

Setting Up Password Expiration Policies

1. Checking Password Aging Information

To view the current password aging settings for a user, use the chage command:

sudo chage -l username

Example output:

Last password change                                    : Mar 1, 2025
Password expires                                       : May 30, 2025
Password inactive                                      : never
Account expires                                        : never
Minimum number of days between password change        : 7
Maximum number of days between password change        : 90
Number of days of warning before password expires     : 7

This output shows the password aging policy for the specified user.

2. Configuring Password Expiration

To set password expiration policies for a user, use the chage command:

sudo chage -M 90 -m 7 -W 7 username
  • -M 90 – Sets the maximum password age to 90 days.
  • -m 7 – Sets the minimum time between password changes to 7 days.
  • -W 7 – Sends a warning 7 days before the password expires.

3. Enforcing Password Expiration for All Users

To apply password expiration settings system-wide, modify the /etc/login.defs file:

sudo nano /etc/login.defs

Find and modify the following lines:

PASS_MAX_DAYS   90
PASS_MIN_DAYS   7
PASS_WARN_AGE   7

Save the file and exit.

Enforcing Password Complexity

Password complexity ensures that users choose strong passwords that are difficult to guess. Debian 12 uses the pam_pwquality module to enforce password complexity.

1. Configuring Password Complexity Requirements

Edit the /etc/security/pwquality.conf file:

sudo nano /etc/security/pwquality.conf

Modify or add the following lines:

minlen = 12
minclass = 3
dcredit = -1
ucredit = -1
lcredit = -1
ocredit = -1
  • minlen = 12 – Sets the minimum password length to 12 characters.
  • minclass = 3 – Requires at least three different character classes (uppercase, lowercase, digits, special characters).
  • dcredit = -1 – Requires at least one digit.
  • ucredit = -1 – Requires at least one uppercase letter.
  • lcredit = -1 – Requires at least one lowercase letter.
  • ocredit = -1 – Requires at least one special character.

2. Enforcing Password Complexity via PAM

Edit the PAM configuration file:

sudo nano /etc/pam.d/common-password

Ensure the following line is present:

password requisite pam_pwquality.so retry=3
  • retry=3 – Allows users three attempts to enter a valid password.

Forcing Password Change for Users

To force a user to change their password upon next login:

sudo passwd --expire username

To force all users to change passwords, run:

sudo awk -F: '$3 > 999 {print $1}' /etc/passwd | xargs -n1 sudo passwd --expire

Implementing Account Lockout Policies

To prevent brute-force attacks, configure account lockout settings using PAM.

Edit /etc/pam.d/common-auth:

sudo nano /etc/pam.d/common-auth

Add the following line:

auth required pam_tally2.so deny=5 unlock_time=900
  • deny=5 – Locks the account after 5 failed login attempts.
  • unlock_time=900 – Unlocks the account automatically after 15 minutes (900 seconds).

To manually unlock a locked user account:

sudo pam_tally2 --user=username --reset

Conclusion

Setting up password expiration and policies on Debian 12 Bookworm enhances system security by enforcing strong password practices. By implementing password aging, complexity rules, and lockout mechanisms, administrators can significantly reduce the risk of unauthorized access. Regularly reviewing and updating these policies ensures compliance with security best practices and organizational policies.

By following the steps in this guide, you can effectively secure user authentication on your Debian 12 system.


< How to Configure User Login Banners in Debian 12 Bookworm SystemHow to Monitor User Login History in Debian 12 Bookworm >