[SOLVED] passwd - error message can someone explain - BAD PASSWORD: it is derived from your password entry

rtrfamjr2 · 05-22-2020, 11:01 AM

when some users attempt to change there password with 'passwd' they are receiving this message
example:
Changing password for axgadmd.
(current) UNIX password:
New password:
BAD PASSWORD: it is derived from your password entry

sxy · 05-22-2020, 11:25 AM

Hi,

Likely it's a PAM feature. Copied from my /etc/pam.d/system-auth:

Quote:

#############################
# Password quality checking #
#############################
#
# Please note that unless cracklib and libpwquality are installed, setting
# passwords will not work unless the lines for the pam_pwquality module are
# commented out and the line for the traditional no-quality-check password
# changing is uncommented.
#
# The pam_pwquality module will check the quality of a user-supplied password
# against the dictionary installed for cracklib. Other tests are (or may be)
# done as well - see: man pam_pwquality
#
# Default password quality checking with pam_pwquality. If you don't want
# password quality checking, comment out these two lines and uncomment the
# traditional password handling line below.
password requisite pam_pwquality.so minlen=6 retry=3
password sufficient pam_unix.so nullok sha512 shadow minlen=6 try_first_pass use_authtok

# Traditional password handling without pam_pwquality password checking.
# Commented out by default to use the two pam_pwquality lines above.
#password sufficient pam_unix.so nullok sha512 shadow minlen=6

# ATTENTION: always keep this line for pam_deny.so:
password required pam_deny.so

and

Code:

man pam_pwquality

If you want to use that password anyway, try 'sudo passwd username' of change PAM settings accordingly.

Hope this helps.

rtrfamjr2 · 05-22-2020, 03:31 PM

Thanks for the info. We already used the 'sudo passwd username' to force the password change.
It does seem to be related to the PAM either pam_pwquality or pam_cracklib.

It's not documented or at least I currently can not find it documented on what it actually means unlike some of the other "BAD PASSWORD" messages.

scasey · 05-22-2020, 04:01 PM

I believe that particular error is caused by a violation of the difok option...that the new password is not different from the old password by the difok number of characters. The man page says that defaults to 5.

I'm not able to find definitive documentation for the error either, however.