Configuring other password requirements
Password expiration
Password expiration can be set in /etc/login.defs. scroll down to the “Password aging controls” section:
PASS_MAX_DAYS: Default99999; Sets the maximum number of days a password may be used.PASS_MIN_DAYS: Default0; Sets the minimum number of days a user must keep their password before changing it.PASS_WARN_AGE: Default7; Sets the number of days out from expiration that the system will warn the user.
Password history
When configuring the password history of any system, it is generally considered best practice to remember the previous 10 passwords. This will ensure that the user’s passwords stay different and are not reused. Setting a minimum age of 1 and a password history of 10 means that somebody would need to wait at least 11 days before they’re able to get back to their original password. Usually this is enough to dissuade anyone from trying.
To configure password history in Ubuntu, use /etc/pam.d/common-password:
password: module type we are referencing.required: module where failure returns a failure to the PAM-API.pam_pwhistory.so: module that configures the password history requirements.remember=2: option for thepam_pwhistory.somodule to remember the lastnpasswords (n = 2). These passwords are saved in/etc/security/opasswd.retry=3: option for thepam_pwhistory.somodule to prompt the user3times before returning a failure.