Using the same password on different servers allows attackers to access your accounts if cracker manage to steal your password from a less secure server. This is true for online website accounts too. So solution is to create unique passwords for server accounts like your email, sftp and ssh accounts. General guideline to create a strong and unique password is as follows:
- Create a password with mix of numbers, special symbols, and alphabets.
- Make sure your password is hard to guess. You can use tool such as makepasswd to create hard to guess password.
- Do not use simple words like "password", "123456", "123abc" or "qwerty".
- Use a unique password for all your server accounts.
- A minimum password length of 12 to 14 characters should be used. See how to configure CentOS / RHEL / Fedora Linux based server password quality requirements.
- Generating passwords randomly where feasible. You can do this with a simple shell script function.
- If possible use two-factor authentication.
- Use pam_crack to ensure strong passwords and to check passwords against a dictionary attack.
But, how do you test the effectiveness of a password in resisting guessing and brute-force attacks under Linux? The answer is simple use cracklib-check command.
Say hello to cracklib-check
This command takes a list of passwords from keyboard (stdin) and checks them using libcrack2. The idea is simple: try to prevent users from choosing passwords that could be guessed by "crack" by filtering them out, at source.
Examples
Test a simple password like "password", enter:
$ echo "password" | cracklib-check
Sample outputs:
password: it is based on a dictionary word
Try sequential patterns such as "abc123456":
$ echo "abc123456" | cracklib-check
Sample outputs:
abc123456: it is too simplistic/systematic
Try a password with a mix of letters, numbers, and symbols:
$ echo 'i1oVe|DiZza' | cracklib-check
Sample outputs:
i1oVe|DiZza: OK
The above password increases the difficulty of guessing or cracking your password. I used a random phrase (easy to remember) "I Love Pizza" and inserted random characters to create a strong hard to guess password - "i1oVe|DiZza".
Putting it all together
#!/bin/bash # A sample shell script to add user to the system # Check password for strength # Written by Vivek Gite under GPL v2.x+ # ---------------------------------------------- read -p "Enter username : " user read -sp "Enter password : " password echo echo "Tesing password strength..." echo result="$(cracklib-check <<<"$password")" # okay awk is bad choice but this is a demo okay="$(awk -F': ' '{ print $2}' <<<"$result")" if [[ "$okay" == "OK" ]] then echo "Adding a user account please wait..." /sbin/useradd -m -s /bin/bash $user echo "$user:$password" | /sbin/chpasswd else echo "Your password was rejected - $result" echo "Try again." fi
A note about password manager
A reasonable compromise for using large numbers of passwords is to record them in a password manager, which include stand-alone applications, web browser extensions, or a manager built into the operating system. See how to install gpass - an easy to use and secure password manager for GNOME2 under RHEL / CentOS / Fedora Linux desktop. gpass stores all your password in an encrypted (Blowfish) file, protected by a master-password.
Check out related media
(Video:01 - How to create a strong password)
Recommended readings:
- OpenSSH server best security practices
- HowTo set password quality requirements under Linux.
- Linux upgrade password hashing algorithm to SHA-512.
- man pages - cracklib-check, useradd, chpasswd, and passwd commands.
This blog post, HowTo: Linux Check Password Strength With Cracklib-check Command, was originally published at nixCraft on July 22, 2012 under Command Line Hacks, Security.