On a Linux machine users normaly can change the password of their own account. A lot of users use weak passwords and their password might be cracked with a dictionary-, or brute-force attack. The PAM module
pam_cracklib.so will perform a number of checks on the new password. For example, the new password may not match the old password, the new password may not be the old password reversed neither the same password but in different case. Weak passwords are not allowed. (These check are also done by the module
pam_unix if set to
pam_cracklib you can force the length and strength of passwords.
minlen controls the minimum password length. This parameter might be a little different as think right now. Using the credit parameters (
lcredit, ucredit, dcredit and/or ocredit respectively lower-case, upper-case, digit, other) might change the behaviour. Therefor the
minlen is actually the minimum length of a passwords containing only lower-case letters. By default the user get one 'credit' for each type of character. Therefor the system might still accept a users password with less charaters then set in
minlen if the user uses all types of characters. For example if you modify
password required pam_cracklib.so minlen=12 lcredit=1 ucredit=1 dcredit=2 ocredit=1Now the system will accept a password with a lenght of total 8 characters as 1 'credit' is give for at least 1 lower-case character, 1 'credit' for at least 1 upper-case character, 1 'credit' for at least 2 digits and 1 'credit' for 1 other. You can however disable the 'credits' but force the use of mixing characters/digits with a minimum length. By using negative values for the 'credits' credits will not be given. For example if you modify
password required pam_cracklib.so minlen=8 lcredit=-1 ucredit=-1 dcredit=-2 ocredit=-1
the password have to be at least 8 characters of which at least 1 lower-case, 1 upper-case, 2 digits and 1 other.
These restrictions are not enforced for the root user.