Category filter

Configure password policy for Linux devices from Hexnode

A strong password protects your devices from unauthorized access and data breaches. Password policies, a set of rules and guidelines, help enforce strong and secure device passwords that are difficult for intruders to guess. With Hexnode UEM, imposing strong password policies can be simplified on your Linux devices. Admins can configure password constraints, like password length, number of characters, password age, etc., through the portal. On applying this policy, the user is mandated to protect the device with a password whose value satisfies the criteria specified by the admin.

Password policy for Linux devices

To configure password rule for the users and make the password mandatory on the devices:

  1. Login to your Hexnode UEM portal.
  2. Navigate to the Policies tab.
  3. Click on New policy to create a new one or click on any policy to edit an existing one.
  4. Enter the Policy name and Description in the provided fields.
  5. Navigate to Linux > Password > Configure.
  6. Configure password settings.

    Password settings

    Password settings Description
    Minimum password length Allows admins to set a minimum length for the password. The size ranges from 6 to 16. The default length is 8.
    Minimum password age (in days) The minimum number of days the user should use a password after setting it. This prevents users from immediately changing passwords multiple times. The default value is 7.
    Maximum password age (in days) The maximum number of days a password can be used before setting up a new one. This prevents users from using the same password for a long time. The value ranges from 0-730. The value should be greater than the minimum password age value. The default value is 90.
    Password expiration warning (in days) Specify the number of days before password expiry when the warning should be displayed to the user. It must be a value between the minimum password age and the maximum password age. The default value is 7.
    Minimum number of required classes of characters (digits, uppercase, lowercase, special) Specify the minimum number of required classes/types of characters for the new password. The value ranges from
    0-4.

    The four classes/types are:

    • Digits
    • Uppercase letters
    • Lowercase letters
    • Special characters

    If the option is set to value 2, then characters from any 2 or more of the above-mentioned classes can be used in the new password.

    Minimum number of digits Specify the minimum number of characters from “digits” class that must be included in a password.
    Minimum number of uppercase characters Specify the minimum number of “uppercase” characters (A-Z) that must be included in a password.
    Minimum number of lowercase characters Specify the minimum number of “lowercase” characters (a-z) that must be included in a password.
    Minimum number of special characters Specify the minimum number of “non-alphanumeric characters” (!, @, #, $, %, ^, &, etc.) that must be included in a password.
    Maximum number of consecutive identical characters allowed Specify maximum number of same characters that can appear consecutively in a password.

    For example, if the limit is set to 2, a password like “11aa22” is allowed. But “11aaa22” is not allowed as it contains 3 consecutive identical characters (aaa).

    Maximum number of consecutive characters allowed of identical class Specify maximum number of characters from the same class (digits, uppercase, lowercase, special) that can appear consecutively in a password. This option is meant to control the consecutive nature of characters from the same class.
    When you choose this option, only the specified number of characters (from the same class) can be used consecutively. For instance, when creating a password, the user can use only 2 digits/uppercase/lowercase/special characters consecutively when a value ‘2’ is chosen.

    Consider the password “15QTwu#&”, here the number of consecutive characters belonging to each class is 2:

    • Digits – 1, 5
    • Uppercase – Q, T
    • Lowercase – w, u
    • Special characters – #, &

    Since the minimum limit is set to 2, a password like “15QTwu#&” is allowed. But “153QTwu#&” is not allowed as it contains 3 characters of the same class (digits class – 1, 5, 3) appearing consecutively.

    Number of characters in the new password that must not be present in the old password Specify the number of characters in the new password that must not be same as the old password. Setting the value to 0 disables all checks of similarity between the new password and the old password, except when the new password is the same as the old one.

    For example, if the limit is 4, and the old password is “P@ssword1234” then a new password like “Qwerty!234” is invalid as there are 5 similar characters (w, r, 2, 3, and 4). The default value is 1.

  7. Finally, go to Policy Targets > + Add Devices.
  8. Select the required device(s) to which the policy needs to be associated.
  9. Click OK > Click Save.

Associate policy with Linux devices

To associate the policy with target devices, navigate to the Policies tab.

  • When the policy is not yet saved,
    1. Go to Policy Targets.
    2. Click on Devices > + Add Devices, select the required devices and click Ok to associate the policy with the target devices.
  • When the policy has already been saved,
    1. Select the appropriate policy.
    2. Then click on Manage > Associate Targets > choose the target devices and click on Associate to associate the policy with the target devices.

What happens at the device end?

On the device end, when the user tries to change the password, the newly entered password should align with the criteria set in the policy.

To change the password,

  1. Go to Settings > System > Users > Password.
  2. In the Change Password page, enter the Current Password > New Password > Confirm Password.

If the newly entered password does not align with the criteria, the user cannot save the new password. A prompt displaying password creation guidelines will be shown at the bottom of the Change Password page, and the Change option will be disabled.

New password mismatch when it does not align with the password policy for Linux.

New password matches when it aligns with the password policy for Linux.

New password matches when it aligns with the password policy for Linux ensuring maximum security.

Notes:

  • If the Settings page remains open after applying the policy, it should be closed for the password policy to take effect on the device. The same applies when removing the policy.
  • The policy is not supported on Linux distributions using KDE as the desktop environment.

  • Managing Linux devices