This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 865521 - rfe: smaller cracklibs-dict for cloud images
rfe: smaller cracklibs-dict for cloud images
Product: Fedora
Classification: Fedora
Component: cracklib (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2012-10-11 12:33 EDT by Matthew Miller
Modified: 2017-01-26 13:04 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
common passwords list, CC-BY-SA 3.0 Mark Burnett ( (71.31 KB, text/plain)
2015-07-22 17:03 EDT, Matthew Miller
no flags Details

  None (edit)
Description Matthew Miller 2012-10-11 12:33:54 EDT
9MB isn't gigantic, but I'd like to get the Fedora cloud image as small as possible. Hopefully, people will be using ssh keys and not passwords at all in the cloud anyway. Cracklib-dicts is in the dependency chain of, well, anything, and so shipping a minimal version is an easy way to reduce image size.

I know I'm responsible in part for the growth of this package, but times change. :)

Ideally, the big dictionary package would be installed by default, but a smaller version could also fill the dependency.
Comment 1 Fedora Admin XMLRPC Client 2013-06-10 12:17:38 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 2 Matthew Miller 2013-09-08 20:24:50 EDT
I see that there is a "cracklib-small" already. Maybe that's the place to start? Alternately, there's this list of the 10,000 most common passwords, which the researcher suggests are used by 98.8% (!) of users. That's even smaller than cracklib-small and may have a stronger positive impact.
Comment 3 Matthew Miller 2014-06-26 13:51:11 EDT
Can we revisit this for F21?
Comment 4 Matthew Miller 2014-07-11 11:58:00 EDT
Note that the top 10k list is licensed CC-BY-SA 3.0, with text as follows:

"You may use the Top 10,000 Passwords List, the Top Passwords Tag Cloud or any portion of this article (including commercial use) with attribution to Mark Burnett ("
Comment 5 Matthew Miller 2015-07-22 12:32:42 EDT
Original site seems down, but list is widely available. See for example

This could also be combined with, and possibly similar for a few other languages, still yielding a much smaller overall dict.
Comment 6 Matthew Miller 2015-07-22 17:03:05 EDT
Created attachment 1055018 [details]
common passwords list, CC-BY-SA 3.0 Mark Burnett (
Comment 7 Matthew Miller 2015-07-23 15:30:37 EDT
See -- I think that for the purposes of this ticket, simply subpackaging cracklib-small separately should be sufficient.

Right now, libpwquality and pam both directly require cracklib-dicts; I guess cracklib-dicts-small could provide this, and then cracklib itself could have "Recommends: cracklib-dicts"?
Comment 8 Tomas Mraz 2015-07-24 04:38:00 EDT
I am afraid the dependency problem will have to be resolved differently. 

Currently even if we subpackaged the cracklib-dicts-small the file will not be usable without configuring explicit dictpath in pwquality.conf (or in case of pam_cracklib on its command line - however that is a legacy module and we can probably ignore it now).

We could probably change the hard Requires in pam and libpwquality to Recommends. However I am not sure whether that helps with the Cloud product - i.e. whether cloud images can ignore weak deps.
Comment 9 Matthew Miller 2015-07-24 09:48:05 EDT
I noticed that you're adding "conf.d" support to libpwquality. Might it be possible for each dict subpackage to include a conf snippit enabling that dictionary?

The cloud images *can* ignore weak deps. Right now, Recommends aren't installed by default at all and need to be listed; in the future if this changes, we can always "-" them.
Comment 10 Matthew Miller 2016-10-27 10:53:10 EDT
Is this fixed by #1323172?
Comment 11 Tomas Mraz 2016-10-31 04:50:35 EDT
It basically depends on you whether you think the fix for bug 1323172 is sufficient for you.
Comment 12 Matthew Miller 2017-01-26 13:04:23 EST
I guess it is, although I think it would still be nice to ship the smaller dictionary as an alternative option, but whatever.

Note You need to log in before you can comment on or make changes to this bug.