LabEx
Log InJoin Free

Implement Best Practices for Password Security

Kali LinuxBeginner
Practice Now

Introduction

Password security is a critical component of protecting systems and data from unauthorized access. Weak or compromised passwords are one of the most common entry points for attackers. Implementing a robust password policy is a fundamental security practice.

In this lab, you will learn how to implement several best practices for password security on a Linux system. You will configure password complexity rules, set up Multi-Factor Authentication (MFA), understand the role of password managers, enforce password rotation, and learn about the importance of user education.

Understand Password Complexity Requirements

In this step, you will enforce password complexity rules to ensure that users create strong passwords. A strong password typically includes a mix of uppercase letters, lowercase letters, numbers, and special characters, and has a sufficient length. We will use the Pluggable Authentication Module (PAM) pam_pwquality to achieve this.

First, let's install the libpam-pwquality package, which provides the necessary tools.

sudo apt-get install libpam-pwquality -y

Now, you need to configure the PAM stack to use this module for password changes. We will edit the /etc/pam.d/common-password file. This file contains the common configuration for password management.

Open the file using the nano editor:

sudo nano /etc/pam.d/common-password

Find the line that contains pam_unix.so and add the following line above it. This ensures the quality check happens before the password is actually changed by the pam_unix module.

password        requisite       pam_pwquality.so retry=3 minlen=12 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1

Let's break down these options:

  • retry=3: The user gets 3 attempts to enter a compliant password.
  • minlen=12: The minimum password length is 12 characters.
  • ucredit=-1: Requires at least one uppercase letter.
  • lcredit=-1: Requires at least one lowercase letter.
  • dcredit=-1: Requires at least one digit.
  • ocredit=-1: Requires at least one special (other) character.

Your file should look similar to this (some lines may differ):

## /etc/pam.d/common-password

...
password        requisite       pam_pwquality.so retry=3 minlen=12 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
password        [success=1 default=ignore]      pam_unix.so obscure sha512
...

Press Ctrl+X, then Y, and Enter to save the file and exit nano.

Now, let's test the new policy. We'll try to change the password for the labex user.

passwd

First, enter your current password (you can just press Enter as there is no password set for labex). Then, try to set a weak password like password. The system should reject it and show an error message because it doesn't meet the complexity requirements.

(current) UNIX password:
New password:
BAD PASSWORD: The password is shorter than 12 characters
Retype new password:
Sorry, passwords do not match.
passwd: Authentication token manipulation error
passwd: password unchanged

Now, try again with a strong password like Labex!P@ssw0rd. This password should be accepted.

You have successfully configured password complexity requirements on your system.

Implement Multi-Factor Authentication

In this step, you will learn how to implement Multi-Factor Authentication (MFA). MFA adds a second layer of security by requiring users to provide two or more verification factors to gain access. We will use the Google Authenticator PAM module to add Time-based One-Time Password (TOTP) authentication.

First, install the libpam-google-authenticator package.

sudo apt-get install libpam-google-authenticator -y

Next, you need to generate an MFA configuration for your user. Run the following command as the labex user (not with sudo).

google-authenticator

The command will ask you a series of questions. For the purpose of this lab, answer them as follows:

  • Do you want authentication tokens to be time-based (y/n): Press y and Enter.
  • You will see a QR code, a secret key, and emergency scratch codes. In a real-world scenario, you would scan the QR code with an authenticator app on your phone. For this lab, we will just proceed.
  • Do you want me to update your "/home/labex/.google_authenticator" file? (y/n): Press y and Enter. This saves your secret key.
  • Do you want to disallow multiple uses of the same authentication token?: Press y and Enter.
  • Do you want to increase the time-skew window?: Press n and Enter.
  • Do you want to enable rate-limiting for the authentication module?: Press y and Enter.

This creates a .google_authenticator file in your home directory (/home/labex).

Now, let's configure SSH to use this MFA token. First, we need to tell PAM to require it for SSH sessions.

Open the /etc/pam.d/sshd file:

sudo nano /etc/pam.d/sshd

Add the following line at the end of the file:

auth required pam_google_authenticator.so

Save and exit the file (Ctrl+X, Y, Enter).

Next, we must enable challenge-response authentication in the SSH server configuration.

Open /etc/ssh/sshd_config:

sudo nano /etc/ssh/sshd_config

Find the line ChallengeResponseAuthentication no and change it to yes. If the line is commented out with a #, remove the #.

## /etc/ssh/sshd_config
...
ChallengeResponseAuthentication yes
...

Save and exit the file. In a real system, you would restart the SSH service. However, in this containerized environment, restarting services like sshd is not supported. The key takeaway is understanding the configuration steps required to enable MFA for SSH.

Use Password Managers

In this step, we will discuss the importance of password managers. Reusing passwords across different services is a major security risk. If one service is breached, attackers can use the leaked password to access your other accounts. A password manager helps you generate, store, and manage unique, strong passwords for every service.

KeePassXC is a popular, open-source, and free password manager that stores your passwords in a secure, encrypted database. While it is a graphical application, we will install it to understand how such tools are integrated into a user's workflow.

Let's install KeePassXC using apt-get.

sudo apt-get install keepassxc -y

After the installation is complete, you can verify it by checking for the command's existence.

which keepassxc

You should see the following output, indicating that the application is installed and available in your system's path.

/usr/bin/keepassxc

In a desktop environment, you would launch KeePassXC, create a new encrypted database with a strong master password, and start adding your login credentials for various websites and services. The application can also auto-generate very strong passwords for you. The key principle is to remember one strong master password to unlock the manager, and let the manager handle all your other complex passwords.

Regularly Rotate Passwords

In this step, you will learn how to enforce password rotation, also known as password aging. Regularly changing passwords limits the window of opportunity for an attacker who may have stolen a password.

In Linux, you can set system-wide password aging policies in the /etc/login.defs file. You can also set policies for individual users with the chage command. We will focus on the chage command.

First, let's view the current password aging settings for the labex user.

sudo chage -l labex

You will see output similar to this, with most values set to never.

Last password change                                    : May 20, 2024
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7

The Maximum number of days between password change is set to 99999, which effectively means the password never expires. Let's change this to enforce a password change every 90 days.

Use the chage command with the -M option to set the maximum age.

sudo chage -M 90 labex

Now, check the settings again to confirm the change.

sudo chage -l labex

The output should now show that the maximum number of days is 90. The Password expires date will also be updated accordingly.

Last password change                                    : May 20, 2024
Password expires                                        : Aug 18, 2024
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 90
Number of days of warning before password expires       : 7

You have successfully configured a password rotation policy for a user.

Educate Users on Password Hygiene

In this step, we will focus on the human element of security. Technical controls are essential, but they are most effective when users also practice good password hygiene. Educating users about security best practices is a crucial, non-technical control.

Here are some key points of good password hygiene:

  • Do not reuse passwords: Use a unique password for every account.
  • Do not share passwords: Never share your password with anyone, including IT staff.
  • Beware of phishing: Be suspicious of emails or messages that ask for your login credentials.
  • Lock your screen: Always lock your computer when you step away from it.
  • Use passphrases: A long passphrase like correct-horse-battery-staple can be more secure and easier to remember than a short, complex password like J%7d*fQ!.

To simulate the creation of a user-facing policy document, let's create a simple text file in our project directory that outlines these rules.

First, create the file and add the first rule using the echo command and output redirection >.

echo "1. Do not share your password with anyone." > ~/project/password_policy.txt

Now, let's append two more rules to the file using the append operator >>.

echo "2. Use a unique password for each service." >> ~/project/password_policy.txt
echo "3. Beware of phishing emails asking for credentials." >> ~/project/password_policy.txt

Finally, display the contents of your new policy document using the cat command.

cat ~/project/password_policy.txt

You should see the following output:

1. Do not share your password with anyone.
2. Use a unique password for each service.
3. Beware of phishing emails asking for credentials.

This simple exercise demonstrates how security policies can be documented and shared. In a real organization, this would be part of a broader security awareness program.

Summary

In this lab, you have successfully implemented several key best practices for password security in a Linux environment. A multi-layered approach that combines technical controls with user education provides the strongest defense against unauthorized access.

You have learned how to:

  • Enforce strong password creation by configuring complexity requirements with pam_pwquality.
  • Add a critical second layer of security by setting up Multi-Factor Authentication with pam_google_authenticator.
  • Understand the role of password managers like KeePassXC in creating and storing unique, strong passwords.
  • Implement password rotation policies using the chage command to limit the risk from compromised credentials.
  • Recognize the importance of user education and documenting security policies for good password hygiene.

By applying these practices, you can significantly improve the security posture of any system you manage.

Related Kali Linux Courses
Kali Linux for Beginners

Kali Linux for Beginners

cybersecuritykalilinux
Kali Server Exploitation in Action

Kali Server Exploitation in Action

cybersecuritykalilinux