Complexity of Linux passwords

When we use the Linux system to set the password, we often encounter such problems, the system prompts: your password is too simple, or your password is a part of the dictionary. So how is the system implemented to check the complexity of the user's password?
There are two parts (I know) that make up the system's control of the password:
1 cracklib
2 Login.defs
Disclaimer: Login.defs mainly controls the expiration date of the password. Time management of passwords. There is no detail here.
Login.defs--shadow Password Suite configuration

Pam_cracklib.so is the key file that controls the complexity of the password.

Redhat Company specifically developed cracklib this installation package to determine the complexity of the password.

Can be viewed Rpm-ql cracklib.

The complexity of the password is determined by the PAM module control to achieve, the specific module is pam_cracklibpam_cracklib parameter introduction:

Debug

This option uses the module to write information to the log (3) to indicate the behavior of the component (this option does not record password information to the log file).

Type=xxx

The default action is for the module, and when the password is requested, the module default action is to use the following prompt: "New UNIX Password:" and "re-enter password Unix." This option is the UNIX that replaces the default word.

Retry=n

Prompting the user for up to N times will return an error. The default value is 1

Difok=n

This parameter will change the default new password must have 5 characters different from the old password characters, in addition, if half of the new password is different from the old password, then you can use the new password.

Difignore=n

When the password is less than the number of characters, the Difok is ignored and the default is 23.

Minlen=n
The minimum length that the new password can accept.

Dcredit=n

(N < 0) The minimum number length of the new password.

Ucredit=n

(N < 0) New password Minimum Capital letter length.

Lcredit=n

(N < 0) New password minimum lowercase letter length.

Ocredit=n

(N < 0) Minimum other character length for new password.

Use_authtok

This parameter is used to force the user not to be prompted for a new password and is provided by a previously stacked cipher module.

Dictpath=/path/to/dict
Path to the Cracklib dictionaries.
Dictpath=/path/to/dict//Note: The password dictionary, which is the key to verifying that the user's password is part of the dictionary.
Path to the Cracklib dictionaries.

Example:
To set the password complexity method under Linux:

(1) Modify the/etc/login.defs file

Pass_max_days #密码最长过期天数
Pass_min_days #密码最小过期天数
Pass_min_len #密码最小长度
Pass_warn_age 7 #密码过期警告天数



(2) Modify the/etc/pam.d/system-auth file

Find password requisite pam_cracklib.so this line is replaced by the following:

Password requisite pam_cracklib.so retry=5 difok=3 minlen=10 ucredit=-1 lcredit=-3 dcredit=-3 dictpath=/usr/share/crack Lib/pw_dict

Parameter meaning:

Attempts: 5 min. Different characters: 3 Minimum password length: 10 Minimum Capital Letter: 1 Minimum lowercase letters: 3 min. number: 3 Password dictionary:/usr/share/cracklib/pw_dict



Note: The above settings are not valid for the root user . You may test it immediately after modification, and you will find that the above settings are invalid. You can create a new account and enter the account.
Useradd test
passwd test

Su-test
At this point you find that the settings are working.

Complexity of Linux passwords