Tuesday, February 22, 2011

Bad Advice: Linux Password Strength

First of all let me say that for the record, I don't generally believe in setting weak passwords. It is definitely one of the things past users I've worked with will tell you can be annoying about me. They hate it when I hand them a new user password with a bunch of symbols and a variety of alpha-numeric characters. I personally get a lot of enjoyment out of trying to think up clever combinations. I recently ran into a situation at home though that necessitated the creation of a password that failed one of the classic password rules.

When I'd initially set up my Centos box, I had created a password that was standard for me at the time. Months later it is no longer my de facto password and it's become difficult for me to remember it when I go to log in to my system, so I decided it was time to finally change that password and bring it in line with what I typically use. When I tried to change it I got the message "BAD PASSWORD" because it was too close to what my previous password had been. I tried to change it to a blank password to see if that would get me over the hump. Nothing doing. My server was not about to let me use a weak password.

I did some digging and found the appropriate places to change the password strength setting. Not, unfortunately, before stumbling across a forum where every response to the OPs question was "You shouldn't do that." I hate forum police. It's fine to include a word of admonishment, but it would be really nice if you could also answer the question. Yes, thank you, I understand that weak passwords are a bad idea and that the policy is there to protect you, yadda yadda. Now please tell me how to override this policy.

I finally got the answer from this blog, and it's as simple as editing your /etc/pam.d/system-auth file to comment out the line that calls the pam_cracklib.so module.

No comments:

Post a Comment