# CIS Benchmark Password Policy
# Implements CIS Debian Benchmark Section 5.4.1

# ============================================================================
# PAM Quality Requirements
# ============================================================================

# Minimum password length
minlen = 14

# Minimum number of lowercase characters
lcredit = -1

# Minimum number of uppercase characters
ucredit = -1

# Minimum number of digits
dcredit = -1

# Minimum number of special characters
ocredit = -1

# Maximum number of consecutive characters
maxclassrepeat = 3

# Maximum number of same consecutive characters
maxrepeat = 3

# Reject passwords containing the username
usercheck = 1

# Reject passwords containing common patterns
enforce_for_root

# Minimum number of character changes
difok = 3

# Check for common passwords
dictcheck = 1

# Reject passwords in dictionary
authtok_type =