Pam password complexity limit under Linux

How does the Linux system implement the user's password complexity check?
The system has two parts to control the password:
1 cracklib
2/etc/login.defs

Pam_cracklib.so is the key file that controls the complexity of the password
/lib/security/pam_cracklib.so
Redhat Company specifically developed cracklib this installation package to determine the complexity of the password

# Rpm-qa | grep cracklib
cracklib-2.8.9-3.1 \ Check if the software is installed
cracklib-dicts-2.8.9-3.1 \ \ Password dictionary file

Disclaimer: Login.defs mainly controls the expiration date of the password. Time Management of passwords

The complexity of the password is determined by the PAM module control to achieve, the specific module is pam_cracklibpam_cracklib parameter introduction:
# man pam_cracklib \ \ Manual Analysis of the role of the module

Available parameter Descriptions
Debug
This option causes the module's information to be written to the Syslog (3), which displays the behavior of the module (this option does not write the password information to the log file).

Type=xxx
The default action is to require a password when the module uses the following prompt: "New UNIX Password:" and "re-enter the UNIX password:". The default Word UNIX can be replaced with this option.

Retry=n
Change the number of times the password was entered, and the default value is 1. That is, if the password entered by the user is not strong enough to exit. You can use this option to set the number of entries so that you don't have to start all over again.

Difok=n
The default value is 10. This parameter sets the number of new, old passwords that are allowed for the same characters. However, if the 1/2 character in the new password differs from the old password, the new password is accepted.

Difignore=n
How many characters of the password should be received Difok will be ignored. Default is 23

Minlen=n
The new minimum acceptable size password (plus one, if no credits are disabled this is the default value). In addition to the number of characters in the new password, the lender (at length + 1) gives different kinds of characters (other, uppercase, lowercase, numeric). The default value for this parameter is 9, which is an old-fashioned UNIX cipher with the same type of characters as all good, but may be too low to take advantage of a MD5 system to increase security. Note that there is a limit of length in Cracklib itself, one "way too short" 4 limit is hard coded and defined limit (6), will not refer to Minlen check pair. If you want to allow a password for just 5 characters, you should not use this module.

Dcredit=n
Limit how many digits are at least in the new password.

Ucredit=n
Limit the number of uppercase characters in a new password.

Lcredit=n
Limit how many lowercase characters are at least in the new password.

Ocredit=n
Limit how many other characters are at least in the new password.

This parameter is used to force the module to not prompt the user for a new password, but one of the previously used stack modules provides the password.

Dictpath=/path/to/dict//Note: Password dictionary, this is the key to verify that the user's password is part of the dictionary

cracklib Password Strength detection process:
Password strength detection process –>
is the new password too short –>

/etc/pam.d/system-auth
Auth Required pam_env.so
Auth sufficient pam_unix.so Nullok Try_first_pass
Auth requisite pam_succeed_if.so uid >= quiet
Auth Required pam_deny.so

Account Required Pam_unix.so
Account sufficient pam_succeed_if.so UID < quiet
Account Required Pam_permit.so

Password requisite pam_cracklib.so try_first_pass retry=3 \ Complexity Verification
Password sufficient pam_unix.so MD5 shadow Nullok try_first_pass Use_authtok
Password Required pam_deny.so

Session optional Pam_keyinit.so Revoke
Session Required Pam_limits.so
session [Success=1 Default=ignore] pam_succeed_if.so service in Crond quiet Use_uid
Session Required Pam_unix.so

Instance:
Password Required pam_cracklib.so \
Difok=3 minlen=15 dcredit=2 ocredit=2
Allow 3 new, old passwords with the same characters
Minimum length 15 bits and contains at least 2 digits, minimum of 2 special characters

Password Required pam_cracklib.so \
Dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
A minimum length of 8 and a minimum of 1 digits, 1 capital letters, and a password of another 1 characters

Note that this setting does not work for root,
Works only when you modify your password for a normal user

Source: >

From for notes (Wiz)

Pam password complexity limit under Linux