Before going on the technical part, make sure you have a strong password policy. A strong password policy is the best way to secure your system, and, remember, if you have a perfect system and a strong password policy you have done only the 50% of the job. If the users of your system make a sconsiderate use of their passwords, your system is not secure, so the remaining 50% of the job is the control of the correct use of your system.


1. Password policy

A good password:
    should be at least 8 characters long (upper and lower).
    it should contain numbers and special characters

To enforce the password policy configure the pam_cracklib.so 
The system administrator should check for weak password using tools like "John the ripper"


2. Password Aging

In Linux you can use the chage command to change user password expiry information.

For example, if you want userName to change his password after 90 days you can issue the following command:

the -W WARN_DAYS switch sets the number of days of warning before a password change is required. The WARN_DAYS option is the number of days prior to the password expiring that a user will be warned his/her password is about to expire.

3. Prevent the reuse of old password.

The pam_unix module provides the capability to set the number of the previous passwords that the user cannot reuse.
Take a look at man 8 pam_unix, and search for the remember parameter.

4. Lock User's account after login failures

Linux provides the faillog utility it displays faillog records or sets login failure limits
For example you could lock a user after three login failures

to unlock a user

Remember that for the root user you should set the maximum login failures value to 0. In this way you could avoid a DoS against the root user. 
Anyway take a look at the faillog man page.

 

And you? what are the best practices you use in your system?

Gg1