Is It a Best/Recommended Practice to Enforce Complex Passwords?

Problem scenario
You are modifying /etc/security/pwquality.conf. Is it a recommended practice to have no or few repeating characters with different classes of characters including lowercase, uppercase, numbers and special characters?

It can be counter productive to have very strong password requirements according to the NIST (

If you are using Linux or Unix, NIST does suggest you use a crack library dictionary (per A-B10 from Often these are used by default.

You may want to read this:

The FBI says "Make sure your password is as long as the system will allow." (This was taken from

Some sources recommend you have complex passwords:

Leave a comment

Your email address will not be published. Required fields are marked *