Using a database of 100 million+ breached passwords to secure a Linux server/Endpoint for an SME

With the NCSCs newly recommended best practices involving having a banned password list and Microsoft recommending and even implementing their own ability to do so for any users subscribed to azure Active directory this shows how important a banned password list can be to an organisation. See more about Microsoft new recommendations here and their implementation here

This best practice is becoming more accepted with it being mentioned in the NIST 800-63-3 standard.

Since its easy to achieve this best practice on windows and Linux servers are still being hacked by default/weak credentials at an alarming rate I thought I’d write a guide about how to configure this for Linux operating systems with a step by step using easily available wordlists and PAM modules specifically libcrack.

This Guide assumes you are using Ubuntu or CentOS, you may need to edit the steps to get this working for your OS although they should be very similar. Yum instead of apt-get and a slightly different package name etc.

First things first you need to install the libpam-cracklib binary.

sudo apt-get install libpam-cracklib

sudo yum install cracklib #for CentOS

Once installed navigate to the following directory

/etc/pam.d

On Ubuntu: Once there edit the passwd file and remove the uncommented line present and ensure that you replace it with the following:

On CentOS: Leave the current config file as is and just add this as a new line at the end of the file

passwd password required pam_cracklib.so retry=3 dictpath=/usr/share/dict/ minlen=8

There are also other configurations that you can configure additionally here

Once you’ve configured the passwd file you then need to download a wordlist.

Many good wordlists can be downloaded from here https://weakpass.com/wordlist

It should be noted that some will take up a large amount of space and the bigger the word list the longer it will take to process in later steps when importing however it doesn’t add any noticeable time on my virtual machine once processed and just attempting to change a password (VM Specs 4GB ram 2vCPU)

I’ve created a wordlist with 19.5 million common passwords available to download from here if you don’t want to browse for one.

Alternatively, if you have multiple wordlists available just merge them into one wordlist and remove duplicates by doing the following

sort -u wordlist1.txt wordlist2.txt > combinedwordlist.txt

Once you’re happy with your wordlist you should then to move it to the /usr/share/dict/ directory

sudo mv complete.txt /usr/share/complete.txt

Then run the following command to configure and enable your wordlist

sudo create-cracklib-dict /usr/share/dict/yourwordlist.txt

The moment of truth try changing your password via passwd to a common word such as password for example and see if you receive an error such as the one captured below

I’ve also created a simple .sh script to do this for you for wider scale deployment just ensure the completed wordlist is called wordlist.txt and is in the same directory location as the script. The script and my wordlist can both be found here (it may be better to use your own larger wordlist mines only 19.5 million)

script usage is simple although it should be noted that this script is for ubuntu not centOS

sudo ./BannedPasswordsSetup.sh

Script

Wordlist

Leave a comment