The pam_cracklib 'minlen' does not work as I want it to.
PAM allows passwords even with lesser length than it is set to with the 'minlen' option.
It gives credits (by default 1) to the 'upper-case', 'lower-case', 'digit' and 'other-character'.
Therefore if minlen is set to 8, the following passwords are allowed as valid:
- 'abcdefg' (length = 7+1 credit for use of lower-case characters)
- 'abcde1'(length = 6 + 1 credit for use of lower-case characters + 1 credit for using a digit)
- 'Abcd1' (length = 5 + 1 credit for use of lower-case characters + 1 credit for using a digit + 1 for using an upper case character)
- 'Ab1$' (length = 4 + 1 credit for use of lower-case characters + 1 credit for using a digit + 1 for using an upper case character + 1 for using an other character)
I do not want PAM give credits to these class of characters and want to strictly enforce minlen as specified irrespective of what type of characters are used in the password.
I also tried with the following setting, but that didn't help:
password required pam_cracklib.so lcredit=0 dcredit=0 ucredit= ocredit=0 minlen=8
Best Answer
You don't have to use
pam_cracklib
to enforce a minimum password length;pam_unix
will happily do this. Just usemin=8
orminlen=8
(it'smin
in older versions of PAM; check yourpam_unix
man page).