Password Policies

Overview

Password policies in FreeIPA enforce security requirements for user passwords including complexity, length, lifetime, and reuse constraints. These policies balance security needs against usability, preventing weak passwords while avoiding overly restrictive requirements that encourage poor password practices. Password policy enforcement occurs during password changes through passwd command and integrates with Kerberos ticket policies, account lockout mechanisms, and pwquality library for strength checking.

IPA supports a global password policy applying to all users and group-specific policies targeting members of designated groups. Each user is subject to exactly one policy: if the user belongs to groups with password policies, the highest-priority group policy applies; otherwise, the global policy applies. Group policies completely replace the global policy rather than augmenting it, enabling distinct security requirements for different organizational roles.

Password policy evaluation occurs during password changes, validating new passwords against applicable policy constraints. Violations result in rejection with error messages indicating which requirements were not met. Policies integrate with account lockout (consecutive failure limits), grace periods (authentication allowance after expiration), and password history (preventing immediate reuse), creating comprehensive password security controls.

Global vs Group Policies

The global password policy serves as the default for all users not covered by group-specific policies. Configured through pwpolicy-mod without specifying a group, the global policy typically enforces baseline security requirements suitable for standard users. Organizations often use moderate global policies with stricter group policies for privileged accounts.

Group password policies target members of specific groups, enabling role-based password requirements. For example, administrators might require longer passwords, more frequent changes, and stricter complexity than standard users. Group policies must specify a priority (unique integer) determining which policy applies when users belong to multiple groups with policies.

Priority values determine policy precedence: lower numeric values indicate higher priority. When a user belongs to multiple groups with password policies, IPA applies the policy with the lowest priority number. This deterministic selection ensures consistent policy application regardless of group membership order.

Group policies are automatically deleted when their associated group is removed, maintaining consistency between group structure and policy configuration. Before deleting groups with password policies, verify affected users have appropriate policy coverage through other groups or the global policy.

Password Strength Requirements

Minimum Length (--minlength): Shortest acceptable password, typically 8-14 characters. Longer passwords generally increase security but may reduce usability. Modern guidance favors longer passphrases over complex shorter passwords.

Character Classes (--minclasses): Number of different character types (uppercase, lowercase, digits, special characters) required. Values 2-4 are common. Higher values increase complexity but can lead to predictable patterns (Password1!).

Character Credits (--dcredit, --ucredit, --lcredit, --ocredit): Adjust how character types contribute to length requirements:

0 (default): Character type ignored in length calculation
Positive value: Each character of this type can reduce effective length requirement
Negative value: Minimum count of this character type required

Dictionary Check (--dictcheck): Rejects passwords matching dictionary words. Prevents common word passwords but may reject legitimate passphrases.

Username Check (--usercheck): Prevents passwords containing the username. Blocks obvious weak passwords (username as password or trivial variations).

Repeat Limits (--maxrepeat): Maximum consecutive identical characters (aaa). Prevents weak patterns like “aaabbb”.

Sequence Limits (--maxsequence): Maximum monotonic character sequences (abc, 123). Blocks keyboard patterns and simple sequences.

Password Lifetime and Expiration

Maximum Lifetime (--maxlife): Days until password expires and must be changed. Common values 60-180 days. Shorter lifetimes increase security at the cost of user friction. Modern security guidance questions aggressive rotation except for compromised credentials.

Minimum Lifetime (--minlife): Hours before password can be changed after setting. Prevents users from quickly cycling through history to reuse old passwords. Typical values 1-24 hours.

Grace Period (--gracelimit): Number of LDAP authentications allowed after expiration before account becomes unusable. Provides transition period for users to change expired passwords without being locked out:

-1: No expiration enforcement (legacy compatibility)
0: No grace, account locks immediately on expiration
Positive: Number of additional logins allowed

Grace periods reduce support burden from sudden lockouts but slightly weaken expiration enforcement. Balance depends on organizational support capacity and security requirements.

Password History

Password history (--history) prevents reusing recent passwords, enforcing periodic password diversity. The history value specifies how many previous passwords are remembered and prohibited. Common values 3-10 depending on change frequency and security requirements.

History combined with minimum lifetime prevents users from quickly cycling passwords to return to favorites. For example, with history=5 and minlife=24h, users must set 5 new passwords over 5 days before potentially reusing an old password.

Excessive history values with frequent changes create password memorization challenges, potentially leading to insecure practices like written passwords or predictable patterns. Balance history depth with realistic user capabilities.

Account Lockout Configuration

Maximum Failures (--maxfail): Consecutive authentication failures before account lockout. Common values 3-10. Lower values improve security against brute force but increase risk of accidental lockouts.

Failure Interval (--failinterval): Seconds after which failure count resets. Enables recovery from temporary failure spikes (mistyped passwords). Typical values 300-3600 seconds (5-60 minutes).

Lockout Time (--lockouttime): Seconds account remains locked after exceeding failure threshold:

Positive value: Automatic unlock after specified time
0 or not set: Manual unlock required (administrator intervention)

Account lockout protects against password guessing attacks but creates denial-of-service risk where attackers deliberately lock legitimate accounts. Monitor lockout events and establish efficient unlock procedures.

pwquality Integration

The pwquality library provides advanced password strength checking beyond basic length and character class requirements. pwquality options (credits, dict check, user check, repeats, sequences) take precedence over or complement standard policy values.

When using pwquality options, minimum length must be ≥6 characters (pwquality requirement). pwquality evaluation occurs after basic policy checks, providing layered password validation.

Credit system enables flexible complexity requirements: positive credits reduce effective length requirement when strong characters are used, while negative credits mandate minimum character type counts. This flexibility enables policies that encourage rather than strictly require complexity.

Best Practices

Avoid excessive complexity: Overly complex requirements (many character classes, frequent changes, long history) lead to insecure compensating behaviors like password patterns or writing passwords down.

Prefer length over complexity: Modern guidance recommends longer passphrases (15+ characters) over shorter complex passwords. Length provides more entropy than complexity.

Use group policies for privileged accounts: Apply stricter requirements (longer passwords, more frequent changes) to administrators and privileged accounts while keeping reasonable requirements for standard users.

Set realistic maximum lifetime: While regular changes increase security, excessively frequent changes (30-60 days) reduce usability without proportionate security benefit. Consider 90-180 days unless compliance requires shorter.

Monitor lockout events: Track account lockouts to detect both security incidents (attack attempts) and operational issues (forgotten passwords, configuration problems).

Test policies before deployment: Validate new policies with test users before applying to production. Ensure requirements are achievable and clearly communicate changes to users.

Provide clear password guidance: Help users understand requirements and create strong, memorable passwords. Documentation and examples reduce support burden and improve compliance.

Coordinate with Kerberos ticket policies: Ensure password lifetime and grace periods align with Kerberos ticket policies. Misalignment creates confusing user experiences.

Integration with Other IPA Components

User Management (user-*): Password policies apply during user password changes. User authentication type (password, password+OTP) interacts with policy enforcement.

Password Changes (passwd): Password policy validation occurs during passwd operations, rejecting passwords failing policy requirements.

Kerberos Policies (krbtpolicy-*): Kerberos ticket policies control ticket lifetime and renewal. Password expiration integrates with ticket acquisition.

Global Configuration (config-show/mod): Global password policy is stored in IPA configuration and serves as default for all users.

Group Management (group-*): Group password policies target specific groups. Policy applies to all group members. Group deletion automatically removes associated password policy.

EXAMPLES

Modify the global policy:
ipa pwpolicy-mod --minlength=10
Add a new group password policy:
ipa pwpolicy-add --maxlife=90 --minlife=1 --history=10 --minclasses=3 --minlength=8 --priority=10 localadmins
Display the global password policy:
ipa pwpolicy-show
Display a group password policy:
ipa pwpolicy-show localadmins
Display the policy that would be applied to a given user:
ipa pwpolicy-show --user=tuser1
Modify a group password policy:
ipa pwpolicy-mod --minclasses=2 localadmins

Commands

Command Description

pwpolicy-add Add a new group password policy.

pwpolicy-del Delete a group password policy.

pwpolicy-find Search for group password policies.

pwpolicy-mod Modify a group password policy.

pwpolicy-show Display information about password policy.

pwpolicy-add

Usage: ipa [global-options] pwpolicy-add GROUP [options]

Add a new group password policy.

Arguments

Argument Required Description

GROUP yes Manage password policy for specific group

Options

Option Description

--maxlife MAXLIFE Maximum password lifetime (in days)

--minlife MINLIFE Minimum password lifetime (in hours)

--history HISTORY Password history size

--minclasses MINCLASSES Minimum number of character classes

--minlength MINLENGTH Minimum length of password

--priority PRIORITY Priority of the policy (higher number means lower priority

--maxfail MAXFAIL Consecutive failures before lockout

--failinterval FAILINTERVAL Period after which failure count will be reset (seconds)

--lockouttime LOCKOUTTIME Period for which lockout is enforced (seconds)

--maxrepeat MAXREPEAT Maximum number of same consecutive characters

--maxsequence MAXSEQUENCE The max. length of monotonic character sequences (abcd)

--dictcheck DICTCHECK Check if the password is a dictionary word

--usercheck USERCHECK Check if the password contains the username

--dcredit DCREDIT The max credit for digits in the password.

--ucredit UCREDIT The max credit for uppercase characters in the password.

--lcredit LCREDIT The max credit for lowercase characters in the password.

--ocredit OCREDIT The max credit for other characters in the password.

--gracelimit GRACELIMIT Number of LDAP authentications allowed after expiration

--setattr SETATTR Set an attribute to a name/value pair. Format is attr=value.

--addattr ADDATTR Add an attribute/value pair. Format is attr=value. The attribute

--all Retrieve and print all attributes from the server. Affects command output.

`--raw` Print entries as stored on the server. Only affects output format.

pwpolicy-del

Usage: ipa [global-options] pwpolicy-del GROUP [options]

Delete a group password policy.

Arguments

Argument Required Description

GROUP yes Manage password policy for specific group

Options

Option Description

--continue Continuous mode: Don’t stop on errors.

pwpolicy-find

Usage: ipa [global-options] pwpolicy-find [CRITERIA] [options]

Search for group password policies.

Arguments

Argument Required Description

CRITERIA no A string searched in all relevant object attributes

Options

Option Description

--group GROUP Manage password policy for specific group