Skip to content

pwquality conf

pwquality.conf

/etc/security/pwquality.conf

pwquality.conf provides a way to configure the default password quality requirements for the system passwords. This file is read by the libpwquality library and utilities that use this library for checking and generating passwords.

The file has a very simple name = value format with possible comments starting with # character. The whitespace at the beginning of line, end of line, and around the = sign is ignored.

Options

The possible options in the file are:

  • difok Number of characters in the new password that must not be present in the old password. (default 5)
  • minlen Minimum acceptable size for the new password (plus one if credits are not disabled which is the default). (See pam_pwquality(8).) Cannot be set to lower value than 6. (default 9)
  • dcredit The maximum credit for having digits in the new password. If less than 0 it is the minimum number of digits in the new password. (default 1)
  • ucredit The maximum credit for having uppercase characters in the new password. If less than 0 it is the minimum number of uppercase characters in the new password. (default 1)
  • lcredit The maximum credit for having lowercase characters in the new password. If less than 0 it is the minimum number of lowercase characters in the new password. (default 1)
  • ocredit The maximum credit for having other characters in the new password. If less than 0 it is the minimum number of other characters in the new password. (default 1)
  • minclass The minimum number of required classes of characters for the new password (digits, uppercase, lowercase, others). (default 0)
  • maxrepeat The maximum number of allowed same consecutive characters in the new password. The check is disabled if the value is 0. (default 0)
  • maxclassrepeat The maximum number of allowed consecutive characters of the same class in the new password. The check is disabled if the value is 0. (default 0)
  • gecoscheck If nonzero, check whether the words longer than 3 characters from the GECOS field of the user's passwd entry are contained in the new password. The check is disabled if the value is 0. (default 0)
  • badwords Space separated list of words that must not be contained in the password. These are additional words to the cracklib dictionary check. This setting can be also used by applications to emulate the gecos check for user accounts that are not created yet.
  • dictpath Path to the cracklib dictionaries. Default is to use the cracklib default.

Default Configuration all servers

# Configuration for systemwide password quality limits
# Defaults:
#
# Number of characters in the new password that must not be present in the
# old password.
# difok = 1
#
# Minimum acceptable size for the new password (plus one if
# credits are not disabled which is the default). (See pam_cracklib manual.)
# Cannot be set to lower value than 6.
#minlen = 8
minlen = 10 
#
# The maximum credit for having digits in the new password. If less than 0
# it is the minimum number of digits in the new password.
# dcredit = 0
dcredit = -1
#
# The maximum credit for having uppercase characters in the new password.
# If less than 0 it is the minimum number of uppercase characters in the new
# password.
# ucredit = 0
ucredit = -1
#
# The maximum credit for having lowercase characters in the new password.
# If less than 0 it is the minimum number of lowercase characters in the new
# password.
# lcredit = 0
lcredit = -1
#
# The maximum credit for having other characters in the new password.
# If less than 0 it is the minimum number of other characters in the new
# password.
# ocredit = 0
ocredit = -1
#
# The minimum number of required classes of characters for the new
# password (digits, uppercase, lowercase, others).
# minclass = 0
minclass = 2
#
# The maximum number of allowed consecutive same characters in the new password.
# The check is disabled if the value is 0.
# maxrepeat = 0
#maxrepeat = 2
#
# The maximum number of allowed consecutive characters of the same class in the
# new password.
# The check is disabled if the value is 0.
# maxclassrepeat = 0
#maxclassrepeat = 4
#
# Whether to check for the words from the passwd entry GECOS string of the user.
# The check is enabled if the value is not 0.
# gecoscheck = 0
#
# Whether to check for the words from the cracklib dictionary.
# The check is enabled if the value is not 0.
# dictcheck = 1
#
# Whether to check if it contains the user name in some form.
# The check is enabled if the value is not 0.
# usercheck = 1
#
# Length of substrings from the username to check for in the password
# The check is enabled if the value is greater than 0 and usercheck is enabled.
# usersubstr = 0
#
# Whether the check is enforced by the PAM module and possibly other
# applications.
# The new password is rejected if it fails the check and the value is not 0.
# enforcing = 1
#
# Path to the cracklib dictionaries. Default is to use the cracklib default.
# dictpath =
#
# Prompt user at most N times before returning with error. The default is 1.
# retry = 3
retry = 3
#
# Enforces pwquality checks on the root user password.
# Enabled if the option is present.
# enforce_for_root
#
# Skip testing the password quality for users that are not present in the
# /etc/passwd file.
# Enabled if the option is present.
# local_users_only

pwscore

Use: pwscore [user]

pwscore is a simple tool for checking quality of a password. The password is read from stdin.

The tool uses the libpwquality library to perform configurable checks for minimum length, dictionary checking against cracklib dictionaries, and other checks.

It either reports an error if the password fails any of the checks, or it prints out the password quality score as an integer value between 0 and 100.

The password quality score is relative to the minlen setting in the configuration file. But in general values below 50 can be treated as moderate quality and above it fairly strong quality. Any password that passes the quality checks (especially the mandatory cracklib check) should withstand dictionary attacks and scores above 50 with the default minlen setting even fast brute force attacks.

Options

The first and only optional argument is the user name that is used to check the similarity of the password to the username.

pwmake

Use: pwmake

pwmake is a simple configurable tool for generating random and relatively easily pronounceable passwords. The tool allows you to specify the number of entropy bits that are used to generate the password.

The entropy is pulled from /dev/urandom.

The minimum number of bits is 56 which is usable for passwords on systems/services where brute force attacks are of very limited rate of tries. The 64 bits should be adequate for applications where the attacker does not have direct access to the password hash file. For situations where the attacker might obtain the direct access to the password hash or the password is used as an encryption key 80 to 128 bits should be used depending on your level of paranoia.

Options

The first and only argument is the number of bits of entropy used to generate the password.