From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031007 Firebird/0.7 Description of problem: I try without success to have cracklib force users to have a password longer than 8 caracter. /etc/pam.d/system-auth auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so retry=3 minlen=8 debug password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so However, user are still allowed to change their password to a shorter strings. Note that if i set minlen=2 , i still have the 6 caracter lenght limitation active too. I m using pam-0.75-46.7.3 Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1.in /etc/pam.d/system-auth add minlen=8 (or whatever integer you prefer not equal to 6) 2. log in as a user, try to change the password with passwd . Try to use a password too short. Actual Results: password get changed Expected Results: password too short error message Additional info:
minlen alone is not suffient, you also have to set the following parameters: dcredit=N ucredit=N lcredit=N ocredit=N Weight, digits, upper, lower, other characters with count N. Use these values to compute the 'unsimplicity' of the password. Looking at the source code, it seems that the actual minimum length is computed as minlen - dcredit - ucredit - lcredit - ocredit, basically it is not a minimum length but rather a "minimum semplicity". Setting minlen to 8 for example, and the "credit" parameters to 0 should yield to the desired result. By playing with minlen and the credit parameters, you can allow for constraints like "at least one digit", "at least one capital letter" and so on. I hope this helps.