Lockdown Lab #11 HIGH Linux (Ubuntu/RHEL)

Set password complexity and aging

/ Daily hardening tip
Written by Shimi Cohen
SCW Lockdown Lab linuxidentity
Set password complexity and aging

Weak passwords are still the number one attack vector. Period. I’ve seen countless environments where a breach started with a simple brute-force or credential stuffing attack that bypassed basic defenses because the password policy was a joke.

If you’re running Linux servers, this isn’t just a “nice to have,” it’s non-negotiable. You need to enforce strong password complexity and force regular changes. Otherwise, you’re handing attackers an open invitation.

My baseline? Minimum 14 characters, 4 character classes, and a 90-day expiration. This significantly raises the bar for an attacker to crack credentials or reuse stolen ones. Stop relying on users to do the right thing; the system needs to enforce it.

For Ubuntu/RHEL, configure these:

minlen = 14 minclass = 4 PASS_MAX_DAYS 90

Don’t let this fundamental control be your downfall. Get it done.

The fix

# /etc/security/pwquality.conf

minlen = 14

minclass = 4

# /etc/login.defs

PASS_MAX_DAYS 90

PASS_MIN_DAYS 7

PASS_WARN_AGE 14

Reference: CIS Linux Benchmark 5.4.1

Mark this as done

Open the interactive hardening checklist and tick this off in your environment.

Open interactive checklist →

Related Posts

Enforce SSH key-based authentication

Let's talk about the lowest hanging fruit for botnets: password-based SSH. If you're still allowing it, you're not just leaving a door open; you're putting...

lockdown-labhardeninglinuxidentity
/Shimi Cohen

Lockdown Lab is a daily hardening series — one practical, vendor-specific check published across the website, LinkedIn, and Telegram.

Browse all Lockdown Lab posts →  ·  Full hardening matrix →  ·  Telegram channel →