Password Management & Security

Password security is the first line of defense in Linux system protection. Understanding password management, encryption methods, and security policies is crucial for maintaining system integrity and preventing unauthorized access in multi-user environments.

Linux Password Files

Linux stores user authentication information in several key files with different security levels:

/etc/passwd # User account information (world-readable)
username:x:1000:1000:User Name:/home/username:/bin/bash
# 'x' indicates password is stored in /etc/shadow

/etc/shadow # Secure password hashes (root-only)
username:$6$rounds=656000$salt$hash:18888:0:99999:7:::
└─ username:password_hash:last_change:min:max:warn:inactive:expire

/etc/group # Group membership information
groupname:x:1000:user1,user2

/etc/gshadow # Secure group passwords
groupname:!:::

Password Management Commands

🔐

passwd - User Passwords

Manage user passwords and account status.

passwd [options] [username]

Common Uses:

passwd - Change own password
passwd john - Change another user's password (root)
passwd -l john - Lock user account
passwd -u john - Unlock user account
passwd -S john - Show password status
passwd -d john - Delete password (make empty)

📅

chage - Password Aging

Manage password expiration and aging policies.

chage [options] username

Common Options:

-l - List password aging info
-m days - Minimum password age
-M days - Maximum password age
-W days - Warning period before expiration
-I days - Inactive period after expiration
-E date - Account expiration date
-d date - Last password change date

👥

gpasswd - Group Passwords

Manage group passwords and membership.

gpasswd [options] groupname

Common Uses:

gpasswd groupname - Set group password
gpasswd -a user group - Add user to group
gpasswd -d user group - Remove user from group
gpasswd -A user group - Set group administrator
gpasswd -M user1,user2 group - Set group members

Password Encryption Methods

Hash Type	Identifier	Security Level	Example	Notes
DES	None	❌ Very Weak	abJnggxhB/yWI	Legacy, limited to 8 characters
MD5	$1$	❌ Weak	$1$salt$hash	Vulnerable to collisions
Blowfish	$2a$, $2b$	✅ Strong	$2a$10$salt$hash	bcrypt, computationally expensive
SHA-256	$5$	✅ Good	$5$rounds=5000$salt$hash	Default on many systems
SHA-512	$6$	✅ Very Strong	$6$rounds=656000$salt$hash	Current standard, most secure
Yescrypt	$y$	✅ Excellent	$y$parameter$salt$hash	New standard, memory-hard

Password Hash Identification:
• $1$ - MD5
• $2a$, $2b$, $2y$ - Blowfish/bcrypt
• $5$ - SHA-256
• $6$ - SHA-512 (current standard)
• $y$ - Yescrypt (new standard)
Check your system's default: grep ENCRYPT_METHOD /etc/login.defs

Password Policy Configuration

⚙️

/etc/login.defs

System-wide password and login defaults.

nano /etc/login.defs

Key Settings:

PASS_MAX_DAYS 90 - Maximum password age
PASS_MIN_DAYS 7 - Minimum password age
PASS_WARN_AGE 14 - Warning period
PASS_MIN_LEN 8 - Minimum password length
ENCRYPT_METHOD SHA512 - Default hash method
UMASK 022 - Default file creation mask

🔧

PAM Configuration

Pluggable Authentication Modules for advanced policies.

nano /etc/pam.d/common-password

PAM Modules:

pam_pwquality - Password quality checking
pam_tally2 - Login attempt limiting
pam_faillock - Account locking after failures
pam_cracklib - Dictionary checking
pam_unix - Standard Unix authentication

📋

pwquality.conf

Password quality requirements configuration.

nano /etc/security/pwquality.conf

Common Settings:

minlen = 12 - Minimum password length
minclass = 3 - Minimum character classes
maxrepeat = 3 - Maximum repeated characters
maxsequence = 4 - Maximum sequential characters
dictcheck = 1 - Check against dictionary words
usercheck = 1 - Check against username

Practical Password Configuration

Implementing Strong Password Policies

# 1. Configure system-wide password policies
sudo nano /etc/login.defs

# Add or modify these lines:
PASS_MAX_DAYS 90
PASS_MIN_DAYS 7
PASS_WARN_AGE 14
PASS_MIN_LEN 12
ENCRYPT_METHOD SHA512

# 2. Configure password quality requirements
sudo nano /etc/security/pwquality.conf

# Add these settings:
minlen = 12
minclass = 3
dcredit = -1
ucredit = -1
lcredit = -1
ocredit = -1
maxrepeat = 2
maxsequence = 3
dictcheck = 1
usercheck = 1

# 3. Configure PAM for login security
sudo nano /etc/pam.d/common-auth

# Add account locking after failures:
auth required pam_tally2.so deny=5 unlock_time=900
auth required pam_faillock.so preauth silent deny=5 unlock_time=900

# 4. Apply password policies to existing users
# Check current password aging:
sudo chage -l username

# Set strong policies for a user:
sudo chage -m 7 -M 90 -W 14 -I 30 username

# 5. Force password change on next login:
sudo chage -d 0 username

# 6. Check password strength configuration:
grep -i pass /etc/login.defs
sudo pam_tally2 --user=username

# 7. Test password policy:
sudo passwd testuser
# Try weak passwords to see policy enforcement

Password Security Best Practices

Strong Password Guidelines

Weak: password123

Medium: Summer2024!

Strong: Tr0ub4dour&3

Very Strong: C0rrectH0rs3B@tterSt@ple!

Length: Minimum 12 characters, preferably 16+
Complexity: Mix uppercase, lowercase, numbers, symbols
Unpredictability: Avoid dictionary words, patterns, sequences
Uniqueness: Don't reuse passwords across systems
Passphrases: Consider using long, memorable phrases

System Security Measures

Regular Rotation: Enforce password changes every 60-90 days
Account Lockout: Implement after 5-10 failed attempts
Password History: Remember last 10-24 passwords
Session Timeout: Automatic logout after inactivity
Root Access Control: Disable direct root login, use sudo
Regular Audits: Check for weak or empty passwords

Advanced Security Features

🔑

Two-Factor Authentication

Add an extra layer of security with 2FA.

google-authenticator

Implementation:

Install: sudo apt install libpam-google-authenticator
Configure PAM: /etc/pam.d/sshd
SSH config: ChallengeResponseAuthentication yes
User setup: google-authenticator
Test with: ssh -o PreferredAuthentications=keyboard-interactive user@host

📊

Password Auditing

Check for weak or compromised passwords.

john --show /etc/shadow

Audit Tools:

john - John the Ripper password cracker
hashcat - Advanced password recovery
chkpasswd - Check password against policy
pam_cracklib - Real-time password checking
Custom scripts to check for common patterns

🛡️

SSH Key Authentication

Use keys instead of passwords for better security.

ssh-keygen -t ed25519

Key Management:

Generate keys: ssh-keygen -t ed25519 -C "comment"
Copy to server: ssh-copy-id user@host
Disable password auth: PasswordAuthentication no
Use key agents: ssh-add ~/.ssh/id_ed25519
Regular key rotation and management

Troubleshooting Password Issues

Common Password Problems and Solutions:

"Authentication failure" / "Permission denied"

# Check if account is locked

sudo passwd -S username

# Check failed login attempts

sudo pam_tally2 --user=username

# Reset failed attempts counter

sudo pam_tally2 --user=username --reset

# Verify shadow file permissions (should be 640)

ls -l /etc/shadow

"Bad password: too simple"

# Check password policy requirements

sudo grep -r minlen /etc/security/

# View current pwquality settings

cat /etc/security/pwquality.conf

# Test password against policy

echo "newpassword" | sudo chkpasswd

Password expired, cannot login

# Root can reset password and expiration

sudo passwd username

sudo chage -l username

sudo chage -M 90 username  # Set new max days

sudo chage -d $(date +%Y-%m-%d) username  # Reset last change

Shadow file corruption

# Backup current shadow file

sudo cp /etc/shadow /etc/shadow.backup

# Use pwck to check and repair

sudo pwck

# Restore from backup if needed

sudo cp /etc/shadow.backup /etc/shadow

Security Monitoring and Auditing

Regular Security Checks:

Check for weak passwords

# Find accounts with no password

sudo getent shadow | grep '^[^:]*::'

# Check password aging

for user in $(getent passwd | cut -d: -f1); do

  echo -n "$user: "; sudo chage -l $user 2>/dev/null | grep "Max" | cut -d: -f2

done

# Find accounts that never expire

sudo getent shadow | grep -E '^[^:]*:[^:]*:[0-9]*:::::::'

Monitor login attempts

# Check failed login attempts

sudo grep "Failed password" /var/log/auth.log

# Check successful logins

sudo grep "Accepted password" /var/log/auth.log

# Monitor SSH connections

sudo netstat -tulpn | grep :22

# Check last logins

last | head -20

Account activity monitoring

# Check currently logged in users

who

w

# Check user processes

ps aux --sort=-%cpu | head -10

# Monitor sudo usage

sudo grep sudo /var/log/auth.log

Critical Security Warnings:
• Never use empty passwords for any account
• Regularly audit and remove unused user accounts
• Implement account lockout policies to prevent brute force attacks
• Use SSH keys instead of passwords for remote access when possible
• Regularly update and patch the system to fix security vulnerabilities
• Monitor authentication logs for suspicious activity
• Implement two-factor authentication for critical systems
• Regularly review and update password policies

Key Takeaways

Effective password management is fundamental to Linux system security. By implementing strong password policies, using modern encryption methods like SHA-512 or Yescrypt, configuring PAM for additional security layers, and regularly auditing password strength, you can significantly enhance system protection. Remember that password security is not just about complexity but also about proper management, regular rotation, and monitoring for suspicious activity.

Next Step: Explore Linux process management and system monitoring to understand how to track system resource usage, manage running processes, and maintain optimal system performance.