Enforcing Strong Passwords in Torizon OS
Introduction
Torizon brings the possibility to enforce strong passwords, and that feature comes disabled by default.
During the evaluation and development phases, it's a common practice to leave it disabled to speed up the process. But, just before production, it's strongly advised to enable and configure this feature in order to enforce security.
Linux-PAM (Pluggable Authentication Modules for Linux) is a suite of shared libraries that enable the system administrators to choose how applications authenticate users.
One of these modules is pam_cracklib that checks the password against dictionary words.
A newer module, pam_pwquality is based on pam_cracklib. It is backward compatible with pam_cracklib and provides additional features.
Torizon OS is shipped with pam_pwquality module. The users can enable this module to have additional security for their devices. It helps users in creating new passwords that are not easy to guess e.g. by a brute force attack. See man pam_pwquality for documentation of this PAM module.
This article complies with the Typographic Conventions for the Toradex Documentation.
Prerequisites
- A Toradex SoM with Torizon installed.
Configuring Torizon to use Password Quality Module
Enable Password Quality Module
To enable password quality module pam_pwquality in Torizon OS, add it to the top of the PAM stack in /etc/pam.d/common-password like so:
password requisite pam_pwquality.so retry=3
Define password quality criteria
pam_pwquality defines a default policy in /etc/security/pwquality.conf. Some of the rules from this policy are given below:
- At least one character that is not present in the old password
- Minimum length for the new password is 8
- Check for words in the cracklib dictionary
- Check that the password is not based on the username
- Check if the password is a palindrome, similar to old password or rotated.
- The password quality checks are enforced i.e. user is asked to enter a new password if the entered password does not meet the criteria. This file also has good comments on what the different options defined there mean. For more information see man pwquality.conf.
In addition to these rules, the user can add/change rules like below in /etc/security/pwquality.conf:
# Minimum 1 digit
dcredit = -1
# Minimum 1 uppercase character
ucredit = -1
# Minimum 1 lowercase character
lcredit = -1
# Minimum 1 symbol(other character)
ocredit = -1
As noted earlier, strong passwords are enforced by default when pam_pwquality is enabled. If it is desired that only a warning is shown but weak passwords are still allowed, set following options in /etc/security/pwquality.conf:
# Do not enforce pwquality rules, just warn the user
enforcing = 0
enforce_for_root = 0
To capture the changes in these configuration files into an installation image, using TorizonCore Builder, see Capturing Configuration Changes in the Target Device. This enables the user to copy the same configuration change to several devices.
Choosing a strong password
There are many tools available that help a user in creating a strong password. On Debian systems, we can install the libpwquality-tools package and use pwmake to generate a strong password. pwmake takes one argument which is the number of bits of entropy used to generate the password. We can also use pwscore, also present in libpwquality-tools, to check the strength of a given password. pwscore rates passwords as an integer value between 0 and 100.
Here is how to use these tools in a Ubuntu container:
$ docker run -it --rm ubuntu
$$ apt-get update && apt-get install -y libpwquality-tools
$$ pwmake 128
V0sWAf0hIHIJDYh]ib]3kDagyNi
$$ echo "V0sWAf0hIHIJDYh]ib]3kDagyNi" | pwscore
100
Configure a password aging policy
Password aging is another technique to protect the users from weak passwords.
The password aging controls are defined in /etc/login.defs. The comments in this file also explain what different options mean. Here is the relevant excerpt:
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
Strengthening login security further with Certificate-based authentication
Certificate-based authentication provides many advantages over password-based authentication. This authentication method has high cryptographic strength, unlike user-defined passwords. Because of their cryptographic nature, certificates are also invincible to dictionary attacks.
Certificates also eliminate the need to memorize a password that may be forgotten and type each time a new connection is needed. To know more about how to use SSH, please visit the following link:
For more information on this authentication method, please visit the links below: