Passphrase policy
Policy for initially setting or changing local passphrases/passwords in Fedora installs.
Introduction
This policy is for applications that set or change passphrases/passwords locally on Fedora installations. One central place for policy for passphrases was desired and that is now in the libpwquality
package. This package ships defaults for Fedora as decided by FESCo. Fedora products can override the defaults by creating their own /etc/security/pwquality.conf.d/
configuration file. The local administrators can set their own policy in the master /etc/security/pwquality.conf
file.
Scope
This policy is only for applications that set or change local passwords/passphrases. It has nothing to do with remote/central authentication stores, which can and do still have their own policies.
Summary of defaults
-
passwords/passphrases must be at least 8 characters long.
-
passwords/passphrases must have at least 1 character different from previous existing password/passphrase (if applicable).
-
passwords that fail to pass
libpwquality
should display the failure to the user. -
root / admin users should be able to override quality checks (for purposes of this, the installing user is root/admin)
-
applications may use the
libpwquality
'score' to display an analog strength meter to users as an informational tool, but should not use score as a decision making factor for acceptance.
Applications covered
-
anaconda
-
passwd
, anything usingpam
(such as login for changing expired passwords) -
gnome-initial-setup
Want to help? Learn how to contribute to Fedora Docs ›