Policy for initially setting or changing local passphrases/passwords in Fedora installs.
This policy is for applications that set or change passphrases/passwords locally on Fedora installations. One central place for policy for passphrases was desired and that is now in the
libpwquality package. This package ships defaults for Fedora as decided by FESCo. Fedora products can override the defaults by creating their own
/etc/security/pwquality.conf.d/ configuration file. The local administrators can set their own policy in the master
This policy is only for applications that set or change local passwords/passphrases. It has nothing to do with remote/central authentication stores, which can and do still have their own policies.
Summary of defaults
passwords/passphrases must be at least 8 characters long.
passwords/passphrases must have at least 1 character different from previous existing password/passphrase (if applicable).
passwords that fail to pass
libpwqualityshould display the failure to the user.
root / admin users should be able to override quality checks (for purposes of this, the installing user is root/admin)
applications may use the
libpwquality'score' to display an analog strength meter to users as an informational tool, but should not use score as a decision making factor for acceptance.
passwd, anything using
pam(such as login for changing expired passwords)
Want to help? Learn how to contribute to Fedora Docs ›