pam_cracklib on Linux: how to disable credits

Nilesh asked:

The pam_cracklib ‘minlen’ does not work as I want it to.
PAM allows passwords even with lesser length than it is set to with the ‘minlen’ option.
It gives credits (by default 1) to the ‘upper-case’, ‘lower-case’, ‘digit’ and ‘other-character’.

Therefore if minlen is set to 8, the following passwords are allowed as valid:

  • ‘abcdefg’ (length = 7+1 credit for use of lower-case characters)
  • ‘abcde1′(length = 6 + 1 credit for use of lower-case characters + 1 credit for using a digit)
  • ‘Abcd1’ (length = 5 + 1 credit for use of lower-case characters + 1 credit for using a digit + 1 for using an upper case character)
  • ‘Ab1$’ (length = 4 + 1 credit for use of lower-case characters + 1 credit for using a digit + 1 for using an upper case character + 1 for using an other character)

I do not want PAM give credits to these class of characters and want to strictly enforce minlen as specified irrespective of what type of characters are used in the password.
I also tried with the following setting, but that didn’t help:

password required pam_cracklib.so lcredit=0 dcredit=0 ucredit= ocredit=0 minlen=8

My answer:


You don’t have to use pam_cracklib to enforce a minimum password length; pam_unix will happily do this. Just use min=8 or minlen=8 (it’s min in older versions of PAM; check your pam_unix man page).


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.