The complexity of password complexity

Credit: Thinkstock

Deploying password quality checking on your Debian-base Linux servers can help to ensure that your users assign reasonable passwords on their accounts, but the settings themselves can be a bit misleading. For example, setting a minimum password length of 12 characters does not mean that your users' passwords will all have twelve or more characters. Let's stroll down Complexity Boulevard and see how the settings work and examine some settings worth considering.

First, if you haven't done this already, install the password quality checking library with this command:

apt-get -y install libpam-pwquality

The files that contain most of the settings we're going to look at will be:

  • /etc/pam.d/common-password on Debian-base systems
  • /etc/pam.d/system-auth on RedHat

Complexity settings

Here's how it works. You can set a minimum password length, but it doesn't work exactly like you might think. People can set themselves up with shorter passwords if they incorporate some additional complexity and get credit for doing so.

Complexity settings allow you to do quite a number of things in addition to requiring a minimum password length. You can require:

  • uppercase characters
  • lowercase characters
  • digits
  • other characters (e.g., punctuation marks)
  • a mix of the above
  • a restriction on the number of characters in any particular class (uppercase, lowercase, etc.)
  • a restriction on how many times the same character can be used
  • the number of characters that have to be different from those used in the previous password
  • restrictions on password re-use

The settings include:

  • minlen = minimum password length
  • minclass = the minimum number of character types that must be used (i.e., uppercase, lowercase, digits, other)
  • maxrepeat = the maximum number of times a single character may be repeated
  • maxclassrepeat = the maximum number of characters in a row that can be in the same class
  • lcredit = maximum number of lowercase characters that will generate a credit
  • ucredit = maximum number of uppercase characters that will generate a credit
  • dcredit = maximum number of digits that will generate a credit
  • ocredit = maximum number of other characters that will generate a credit
  • difok = the minimum number of characters that must be different from the old password
  • remember = the number of passwords that will be remembered by the system so that they cannot be used again

Implementing these settings in your common-password file might look like this:

password   requisite retry=3 minlen=12 minclass=3 maxrepeat=2 maxclassrepeat=4 lcredit=-1 ucredit=-1 ocredit=1 dcredit=1 difok=3
password      [success=1 default=ignore] obscure use_authtok try_first_pass sha512 remember=10


The idea of "credits" is very interesting. Basically, you're getting credit for complexity. A shorter password might be acceptable if it's more complex in other ways -- like the mix of characters – than length.

As an example, a password like "hijlmqrazp" might pass a minlen=10 test. If dcredit is set to 2, on the other hand, the password "hijlmq99" would also pass. Why? Because we'd get 2 credits for the digits. So, 8 characters plus 2 credits is valued as highly as 10 characters. If dcredit was set to 1, you would need an additional character. However, we could get credits for uppercase, lowercase, and non-alphanumeric characters (like punctuation characters).

Note, however, that you can only get credit for so many of the different characters. Maybe you will get credit for only one digit or two uppercase characters. Maybe you don't get any credit for lowercase characters. It all depends on your settings.

Mixing character classes

One other setting which comes into play is the minclass setting. This setting determines how many different classes of characters – must be used for a password to be acceptable. If minclass is set to 2, a password containing all lowercase, all uppercase, all digits, or all other characters wouldn't work. If set to 2, minclass would require you to use characters from two classes – like uppercase and lowercase, or lowercase and digits.

With minclass set to 4, passwords would have to include all four types of characters – like “howzit2B?” and, if we get credit for uppercase, digits, or other characters, we'd be OK even with the minlen set to 12.

You can also put a cap on the number of characters of any particular class. Set the maxclassrepeat setting to 4 and passwords cannot contain more than 4 lowercase, uppercase, digits, or other characters in succession.

Why use negative values?

Setting one of the lcredit, ucredit, dcredit, or ocredit settings to a negative number means that you MUST have some of that type of character. Setting dcredit to -1, for example, would mean that you have to include at least one digit for a password to be accepted.

What else do you get?

PAM's password quality checking also includes a number of other checks that help ensure that passwords are fairly secure. It checks to see if a password is a palindrome (e.g., “racecar”), whether a new password is the same as the old password but with a change of case only, if the old and new passwords are too similar or rotations of each other, and whether a password contains the user's name. It's getting to the point that it might actually be difficult to assign oneself a really bad password.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon