Strong passwords are a MUST. Secure connections are also a MUST. I.E. no ftp etc.
To audit your passwords - you need to install a program called 'john the ripper' or simply “john” apt-get install john john -single /etc/passwd # does a single pass john -single /etc/shadow (if exists) john /etc/passwd # does all three passes john # to get all available options. john /path/to/htpasswd # also happily does htaccess passwords!
Hydra is the name of a similar app used to test password strength.<br> Source/More info: http://www.debian-administration.org/articles/59 = Force Strong Passwords = apt-get install libpam-cracklib # the above installs itself ontop of the 'passwd' command. # issuing a passwd (changing password) will test the strength of the new password. vi /etc/pam.d/common.password #comment out the following line: #password required pam_unix.so nullok obscure min=4 max=8 md5 #uncomment: password required pam_cracklib.so retry=3 minlen=6 difok=3 password required pam_unix.so use_authtok nullok md5
Thats it. A user trying to set too short a password etc. won't be able. Legend: retry=2 : Prompt user at most 2 times before returning with error minlen=10 : minimum length allowed for an account password is set to 10 characters. This is the minimum simplicity count for a good password. And you are allowed only 2 times using retry option. difok=6: How many characters can be the same in the new password relative to the old. User will see error - BAD PASSWORD: is too similar to the old one You can also apply following options to compute the 'unsimplicity' of the password. dcredit=N : Digits characters ucredit=N : Upper characters lcredit=N : Lower characters ocredit=N : Other characters
Note: The restrictions are only applied to normal users. Root still can set a weak password.
References: http://darwish-07.blogspot.com/2007_06_01_archive.html http://www.cyberciti.biz/tips/linux-check-passwords-against-a-dictionary-attack.html (Legend Info.) http://idahopcug.apcug.org/Debian/securing-debian-howto.en.pdf
Debain page → http://packages.debian.org/unstable/libs/libpam-cracklib
pwgen # as described already on this wiki here → pwgen