Passphrase policy

Policy for initially setting or changing local passphrases/passwords in Fedora installs.

Introduction

This policy is for applications that set or change passphrases/passwords locally on Fedora installations. One central place for policy for passphrases was desired and that is now in the libpwquality package. This package ships defaults for Fedora as decided by FESCo. Fedora products can override the defaults by creating their own /etc/security/pwquality.conf.d/ configuration file. The local administrators can set their own policy in the master /etc/security/pwquality.conf file.

Scope

This policy is only for applications that set or change local passwords/passphrases. It has nothing to do with remote/central authentication stores, which can and do still have their own policies.

Summary of defaults

  • passwords/passphrases must be at least 8 characters long.

  • passwords/passphrases must have at least 1 character different from previous existing password/passphrase (if applicable).

  • passwords that fail to pass libpwquality should display the failure to the user.

  • root / admin users should be able to override quality checks (for purposes of this, the installing user is root/admin)

  • applications may use the libpwquality 'score' to display an analog strength meter to users as an informational tool, but should not use score as a decision making factor for acceptance.

Applications covered

  • anaconda

  • passwd, anything using pam (such as login for changing expired passwords)

  • gnome-initial-setup