Listing 6. The password section of the /etc/pam.d/passwd file that
enforces good practices for new passwords.

#
# retry=3 allows three tries for a new password
# minlen=10 requires at least ten characters
# ucredit=-1 requires at least one uppercase character
# lcredit=0 accepts any number of lowercase characters
# dcredit=-2 requires at least two digits
# ocredit=-1 requires at least one non-alphabetic symbol
#
password required pam_cracklib.so retry=3 minlen=10 \
     ucredit=-1 lcredit=0 dcredit=-2 ocredit=-1
#
# As pam_cracklib only checks passwords, but doesn't store
# them, we require the standard pam_unix module for this.
# The use_authtok parameter ensures pam_unix won't ask for a
# password by itself, but rather will use the one provided by
# pam_cracklib.
#
password  required pam_unix.so use_authtok nullok