enforce password length on ubuntu with pam_cracklib

Question

I was trying to enforce password length to a minimum of 10 using pam_cracklib.

here is my /etc/pam.d/common-password

password        requisite                       pam_cracklib.so retry=3 minlen=10 difok=3 dcredit=1  ocredit=1 ucredit=1
password        [success=1 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512

After setting this, I am able to set passwords with less than 10 characters. I read this as a bug from https://bugs.launchpad.net/ubuntu/+source/pam/+bug/139999

Is there any fix/wayaround/alternative to enforce password length in ubuntu12.04 ?

I don't know much about this, but if it lets you set an arbitrary password-checker, you could roll your own, which first checks the length and then calls pam_cracklib to do the rest. (Sorry if this is obvious and stupid; I just know a little about what you can do in OpenBSD, not Ubuntu.) — Tom Zych, Jun 14 '14 at 19:57

score 0 · Answer 1 · answered Jul 25 '22 at 13:10

I just wanted to answer "Wrong option, guys" but lookie here:

https://bugs.launchpad.net/ubuntu/+source/pam/+bug/139999 [...] Steve Langasek (vorlon) wrote on 2008-07-30:

To set a hard minimum password length, please use the 'min' option to pam_unix instead. The 'minlen' option to pam_cracklib doesn't do what the name suggests it should do. I'm confirming this as a documentation bug; the pam_cracklib documentation needs to be made a lot clearer about this. [...]

I like to point out that the default comment in /etc/security/pwquality.conf tells us the same, alas using convoluted grammar:

Minimum acceptable size for the new password (plus one if credits are not disabled which is the default). (See pam_cracklib manual.) Cannot be set to lower value than 6.

So:

min = 10
enforcing = 1

or:

minlen = 10
dcredit = 0
ucredit = 0
lcredit = 0
ocredit = 0
minclass = 4
enforcing = 1

...should do the trick. HTH

enforce password length on ubuntu with pam_cracklib

1 Answers1