The pam_cracklib ‘minlen’ does not work as I want it to.
PAM allows passwords even with lesser length than it is set to with the ‘minlen’ option.
It gives credits (by default 1) to the ‘upper-case’, ‘lower-case’, ‘digit’ and ‘other-character’.
Therefore if minlen is set to 8, the following passwords are allowed as valid:
- ‘abcdefg’ (length = 7+1 credit for use of lower-case characters)
- ‘abcde1′(length = 6 + 1 credit for use of lower-case characters + 1 credit for using a digit)
- ‘Abcd1’ (length = 5 + 1 credit for use of lower-case characters + 1 credit for using a digit + 1 for using an upper case character)
- ‘Ab1$’ (length = 4 + 1 credit for use of lower-case characters + 1 credit for using a digit + 1 for using an upper case character + 1 for using an other character)
I do not want PAM give credits to these class of characters and want to strictly enforce minlen as specified irrespective of what type of characters are used in the password.
I also tried with the following setting, but that didn’t help:
password required pam_cracklib.so lcredit=0 dcredit=0 ucredit= ocredit=0 minlen=8
You don’t have to use
pam_cracklib to enforce a minimum password length;
pam_unix will happily do this. Just use
min in older versions of PAM; check your
pam_unix man page).
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.