Search by Tags

Enforcing Strong Passwords in TorizonCore

 

Article updated at 09 Dec 2021
Subscribe for this article updates

Select the version of your OS from the tabs below. If you don't know the version you are using, run the command cat /etc/os-release or cat /etc/issue on the board.



Remember that you can always refer to the Torizon Documentation, there you can find a lot of relevant articles that might help you in the application development.

Torizon 5.5.0

Introduction

Linux-PAM (Pluggable Authentication Modules for Linux) is a suite of shared libraries that enable the system administrators to choose how applications authenticate users.

One of these modules is pam_cracklib that checks the password against dictionary words.

A newer module, pam_pwquality is based on pam_cracklib. It is backwards compatible with pam_cracklib and provides additional features.

TorizonCore is shipped with pam_pwquality module. The users can enable this module to have additional security for their devices. It helps users in creating new passwords that are not easy to guess e.g. by a brute force attack. See man pam_pwquality for documentation of this PAM module.

This article complies to the Typographic Conventions for the Toradex Documentation.

Prerequisites

  • A Toradex SoM with Torizon installed.

Configuring Torizon to use Password Quality Module

Enable Password Quality Module

To enable password quality module pam_pwquality in TorizonCore, add it to the top of the PAM stack in /etc/pam.d/common-password like so:

password    requisite           pam_pwquality.so retry=3

Define password quality criteria

pam_pwquality defines a default policy in /etc/security/pwquality.conf. Some of the rules from this policy are given below:

  • At least one character that is not present in the old password
  • Minimum length for the new password is 8
  • Check for words in the cracklib dictionary
  • Check that the password is not based on the username
  • Check if the password is a palindrome, similar to old password or rotated.
  • The password quality checks are enforced i.e. user is asked to enter a new password if the entered password does not meet the criteria. This file also has good comments on what the different options defined there mean. For more information see man pwquality.conf.

In addition to these rules, the user can add/change rules like below in /etc/security/pwquality.conf:

# Minimum 1 digit
dcredit = -1

# Minimum 1 uppercase character
ucredit = -1

# Minimum 1 lowercase character
lcredit = -1

# Minimum 1 symbol(other character)
ocredit = -1

As noted earlier, strong passwords are enforced by default when pam_pwquality is enabled. If it is desired that only a warning is shown but weak passwords are still allowed, set following options in /etc/security/pwquality.conf:

# Do not enforce pwquality rules, just warn the user
enforcing = 0
enforce_for_root = 0

To capture the changes in these configuration files into an installation image, using TorizonCore Builder, see Capturing Configuration Changes in the Target Device. This enables the user to copy the same configuration change to several devices.

Choosing a strong password

There are many tools available that help a user in creating a strong password. On Debian systems, we can install the libpwquality-tools package and use pwmake to generate a strong password. pwmake takes one argument which is the number of bits of entropy used to generate the password. We can also use pwscore, also present in libpwquality-tools, to check the strength of a given password. pwscore rates passwords as an integer value between 0 and 100.

Here is how to use these tools in a Ubuntu container:

$ docker run -it --rm ubuntu
$$ apt-get update && apt-get install -y libpwquality-tools
$$ pwmake 128
V0sWAf0hIHIJDYh]ib]3kDagyNi
$$ echo "V0sWAf0hIHIJDYh]ib]3kDagyNi" | pwscore
100

Configure a password aging policy

Password aging is another technique to protect the users from weak passwords.

The password aging controls are defined in /etc/login.defs. The comments in this file also explain what different options mean. Here is the relevant excerpt:

# Password aging controls:
#
#       PASS_MAX_DAYS   Maximum number of days a password may be used.
#       PASS_MIN_DAYS   Minimum number of days allowed between password changes.
#       PASS_WARN_AGE   Number of days warning given before a password expires.
#
PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_WARN_AGE   7

Strengthening login security further with Certificate based authentication

Certificate based authentication provides many advantages over password based authentication. This authentication method has high cryptographic strength, unlike user defined passwords. Because of their cryptographic nature, certificates are also invincible to dictionary attacks. Certificates also eliminate the need to memorize a password which may be forgotten.

For more information on this authentication method, please visit the links below: