A Friendly WarningThe guidance in this article is becoming increasinglyout-of-date. Please refer to, particularly if you are using a RedHat-based distribution. Linux Password Security with pamcracklibHal Pomeranz, Deer Run AssociatesStandard Unix reusable passwords are not really a goodauthentication system.
However, the costs associated with migrating to analternate authentication system such as two-factor token authentication orsmartcard-based systems are too high for most enterprises. So sites aregenerally left with the 'lowest common denominator' option providedby their vendors.In order to improve the security of standard reusablepasswords, 'best practices' tell us to require users to change theirpasswords on a regular basis, enforce minimum lengths and good'rules' for new passwords (such as requiring mixed case andnon-alphanumeric characters), and even keep a 'history' of previoususer passwords so that users don't 'repeat'.
Interestingly, Unixsystems have typically lagged behind other operating systems in providing thisfunctionality-particularly when it comes to rule-based systems for requiringstrong passwords, as well as functionality for keeping password history. In aneffort to address this shortcoming, the PAM module pamcracklib was developed for Linux systems.I admit that for the longest time I thought pamcracklib was just about useless.But it turns out that it's not useless, it's just really poorly documented.
Inan effort to correct this problem, I present the following article based on myresearch with the existing documentation, the pamcracklibsource code (when in doubt, read the source), and my trusty Knoppix (Debian)GNU/Linux system. Enabling pamcracklibThe pamcracklibmodule is enabled via the system's standard PAM configuration interface. OnDebian systems, this is the /etc/pam.d/common-passwordfile (but it's /etc/pam.d/system-authon RedHat-derived systems-can't we all just get along?). The typicalconfiguration looks something like this:password required pamcracklib.so retry=3 minlen=6difok=3password required pamunix.so md5 useauthtokThe first line enables the pamcracklibmodule and sets several module parameters. ' retry=3' means that users get three chances to picka good password before the passwdprogram aborts.
Users can always re-run the passwdprogram and start over again, however. ' minlen=6'sets the minimum number of characters in the password.
Libpam Cracklib
Actually, since Linuxsystems generally use MD5 password hashes, which are not limited to 8 characterpasswords like the old DES56 hashes, you probably want to think aboutincreasing the ' minlen'parameter to something a bit longer. We'll come back to this notion a bitlater in the article. ' difok=3'sets the minimum number of characters that must be different from the previouspassword. If you increase ' minlen',you may also want to increase this value as well.The second line invokes the standard pamunix module. The ' md5' argument here is what enables standard LinuxMD5 password hashes, though you have the option of using old-style DES56 hashesfor backwards compatibility with legacy Unix systems. ' useauthtok' tells pamunix to not bother doing any of itsown internal password checks, which duplicate many of the checks in pamcracklib, but instead accept thepassword that the user inputs after it's been thoroughly checked by pamcracklib. Simple ChecksBy default, pamcracklibperforms a number of basic checks on the new password:.
Is the new password just theold password with the letters reversed ('password' vs.' Drowssap') or rotated ('password' vs.' Asswordp')?. Does the new password onlydiffer from the old one due to change of case ('password' vs.' Password')?.
Are at least some minimum number of characters in the newpassword not present in the old password? This is where the ' difok' parameter comes intoplay.These are the same checks you get in the pamunix module if you turn on the' obscure' flag, butsince we're already using pamcracklibwe don't need to do this. Length and StrengthWhile the ' minlen'parameter controls the minimum password length, things are not as simple asthey might appear.
This is because pamcracklibcombines the notion of password length with password 'strength' (theuse of mixed-case and non-letter characters).' Minlen'is actually the minimum required length for a password consisting of alllower-case letters. But users get 'length credits' for using upper-and lower-case letters, numbers, and non-alphanumeric characters. The defaultis normally that you can only get a maximum of '1 credit' for eachtype of character. So if the administrator sets 'minlen=12', a usercould still have an 8 character password if they used all four types ofcharacters. Actually, since using a lower-case letter gets you a credit, thereal minimum length for an all lower-case password is minlen-1.The maximum credit for any particular class of characters isactually customizable. The four parameters ' lcredit', ' ucredit',' dcredit', and ' ocredit' are used to set themaximum credit for lower-case, upper-case, numeric (digit), andnon-alphanumeric (other) characters, respectively.
Hyperchem Linux Cracklibre
For example, you could addthe following parameters on the pamcracklibline in the /etc/pam.d/common-passwordfile:lcredit=0ucredit=1 dcredit=1 ocredit=2In other words, lower-case characters aren't special at all,so you get no credit there. On the other hand we give extra credit if the userputs two or more non-alphanumeric characters in their password. One point isstill the max credit for upper-case characters and numbers.
Note that nomatter what you set ' minlen'to and no matter how many 'credits' you give to your users, pamcracklib will never let users pickpasswords with less than six characters-this is a hard-coded internal minimum.Note that you may also use negative values for' lcredit', ' ucredit',' dcredit', and ' ocredit'. Negative valuesforce a user to use a certain number of each type of character. For example,' ocredit=-2' would require all usersto have at least two non-alphanumeric characters in their passwords.Play around with these values and find something that makessense for your site, but as a starting point I might recommend ' minlen=13 difok=4' for machinesusing MD5 password hashes. This means that the smallest password a user couldhave is 9 characters, and that's only if they use all four character sets.Many password cracking utilities don't attempt to compute strings longer than8 characters. Dictionary Checkspamcracklibalso checks the user's password against it's own internal dictionaries ofeasily guessed passwords. On Debian systems, pamcracklib'sdictionaries live in /var/cache/crackliband are rebuilt nightly by the/usr/sbin/update-cracklibscript. Other Linux distros may have other mechanisms for updating thedictionaries (as far as I can tell, RedHat doesn't provide any tools for doingthis).The update-cracklibscript searches a number of directories for input files, including /usr/local/dict and /usr/local/share/dict.
So adding yourown words is as easy as putting them in a file in one of these directories andrunning update-cracklib orwaiting for cron to do it foryou. Note that if you want to add other directories to update-cracklib's search path, you can do this bymodifying the /etc/cracklib/cracklib.conffile (at least on Debian systems). Password 'History'pamcracklibis capable of consulting a user's password 'history' and not allowingthem to re-use old passwords. However, the functionality for actually storingthe user's old passwords is enabled via the pamunixmodule.The first step is to make sure to create an empty /etc/security/opasswd file for storingold user passwords.