Force Strong Password on CentOS
vim /etc/pam.d/system-auth
password requisite pam_cracklib.so try_first_pass retry=3 type= difok=5 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
Explanation:
ucredit=-1
At least one upper case letter
lcredit=-1
At least one lower case letter
dcredit=-1
At least one digit
ocredit=-1
At least one symbol
minlen=8
Minimum 8 characters
difok=5
The minimum number of characters that must be different from the previous password
retry=3
Prompt user at most 3 times before returning with error
Reference:
https://www.cyberciti.biz/faq/securing-passwords-libpam-cracklib-on-debian-ubuntu-linux/
Set Password Expiration Period
sudo vim /etc/login.defs
PASS_MAX_DAYS 90
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
Explanation:
Force users to change their password once every three months, and send out a warning message seven days before password expiration.
Reference:
http://xmodulo.com/set-password-policy-linux.html
Set Password Expiration Period
sudo vim /etc/pam.d/system-auth
password sufficient pam_unix.so use_authtok md5 shadow remember=5
Explanation:
Append remember=5 to prevent a user from re-using any of his or her last 5 passwords.
Reference:
https://www.cyberciti.biz/tips/how-to-linux-prevent-the-reuse-of-old-passwords.html