'passwd' command - "BAD PASSWORD: it does not contain enough DIFFERENT characters"?

SirTristan · 10-29-2010, 08:58 AM

I'm trying to change the password for an account using the passwd command in Linux. However I'm getting the error:

"BAD PASSWORD: it does not contain enough DIFFERENT characters"

Even though the passwords I'm trying seem pretty safe and complicated enough to me. I googled and think this is controlled by something called cracklib? Don't know for sure though.

How can I change the settings for this, perhaps lowering the amount of different characters required, or disabling whatever security setting is causing this error?

mlangdn · 10-29-2010, 10:49 AM

Using su or sudo, try it this way:

Code:

# passwd user

where user is the actual username you wish to change.

Doing it this way (with root privileges) will force the change.

HasC · 10-29-2010, 11:29 AM

it isn't an error, it's a good and very desirable security feature.

anyways, if you want to disable it, look in your PAM files for a line that looks like this

Code:

password required pam_cracklib.so retry=3 minlen=11 difok=3 lcredit=0 ucredit=1
dcredit=1 ocredit=1

(from a CentOS installation)
and modify it as you want. More info here.

jefro · 10-29-2010, 05:21 PM

"t does not contain enough DIFFERENT characters""

That means what is called 3 of 4 rule.

Capital letters such as ABCD

Lower case such as abcd

Numbers such as 1234

Other's such as !@#$

Usually you need to have a password that contains at least three of those.

SirTristan · 10-30-2010, 08:10 AM

Quote:

Originally Posted by mlangdn

Doing it this way (with root privileges) will force the change.

Thanks, but this is how I was doing it, I was doing it as root.

Quote:

Originally Posted by HasC

anyways, if you want to disable it, look in your PAM files for a line that looks like this

Code:

password required pam_cracklib.so retry=3 minlen=11 difok=3 lcredit=0 ucredit=1
dcredit=1 ocredit=1

(from a CentOS installation)
and modify it as you want. More info here.

Thank you. What might my pam configuration file be called though? From that documentation, I should have a file /etc/pam.conf, but I don't have this file. I do have a folder /etc/pam.d, but there are no *.conf files located there.

Using 'find' I found similar text in /etc/pam.d/system-auth.orig and /etc/pam.d/system-auth-ac. system-auth-ac contained the following lines, which are similar:

Code:

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
password    required      pam_deny.so

And system-auth.orig contained the following lines, which are similar:

Code:

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

I don't want to mess with anything here though before I know what I'm doing.

Also, how would I restart PAM after making changes?

emory458 · 08-02-2012, 07:07 PM

In RHEL5+, I see we no longer have a /etc/pam.conf file, but use PAM modules - in /etc/pam.d. I find many referecnes of WHAT to change in these files, but not HOW. I've tried editing the /etc/pam.d/system-auth file (which is linked to system-auth-ac), but the comment lines give me pause. It explicitly indicates this file is autogenerated, and any user edits wil be lost when authconfig is re-run. What I c an;t find is how do I modify this file on a permanent basis, so its entered in the autogenerated file.

The system/authentication GUI interface only allows for choosing authentication type - local files, NIS, LDAP. Modifying the /etc/login.defs fiel - while usable in rh4 adn below, has no meaning now apparently - as PAM modules override this.

Does anyone know how I can modify this file?

wilomr11st · 08-02-2012, 11:34 PM

Usually you need to have a password that contains at least three of those.http://x.co/huI3
http://secure.hostgator.com/~affilia...gi?id=paul87st
http://click.linksynergy.com/fs-bin/...1 Internet Inc