Changing the password regularly, about every 60 or 90 days, is now considered obsolete. It is better to use a separate strong password for each service and each login. The requirement for how strong (i.e., how complicated) a password must be is something that – at least on your own systems – you can define yourself.

On my test machine with Ubuntu, I can use almost any simple password I want – that has to change. To make sure it does, I first have to install the pwquality PAM library:

$ sudo apt install libpam-pwquality

Then I have to add a line to the /etc/pam.d/common-password configuration file. On Ubuntu 18.04 "Bionic Beaver," the default looks like this (this may be slightly different on other systems):

password [success=1 default=ignore] pam_unix.so obscure sha512

This line can remain as a fallback, but in front of it – and this is important – I need to insert the line from Listing 1. This is a single line, which I just wrapped for Listing 1 to improve readability. With the individual parameters (Table 1 breaks them down), the password requirements can be easily controlled.

password requisite pam_pwquality.so \
retry=4 minlen=9 difok=4 lcredit=-2 \
ucredit=-2 dcredit=-1 ocredit=-1 \
reject_username enforce_for_root

After restarting the system, the new password rule takes effect. To test it, I changed the password of the user bob (Figure 1). In doing so, I intentionally entered a password that was too short in the first round and one that can be found in common dictionaries in the second. The system categorically rejected both – and that's the way it should be.

Figure 1: After the change, the system rejects overly simple passwords.

As my third attempt, I entered a new password that complied with the modified rules: Cm1.Sya-n. This seems complicated, but it is mnemonic. It's the first letters and punctuation of the first words of Melville's Moby Dick [1], with a 1 instead of an I, because I need a digit according to the new password rule. The system accepted the password without complaint.