The Geek Diary

“BAD PASSWD : is too simple” – error during password change in CentOS/RHEL 7 and 8

by

Question: How too avoid the warning “BAD PASSWD : is too simple” when changing password in Linux?

1. Modify the configuration file /etc/pam.d/password-auth and /etc/pam.d/system-auth to set the password complexity.

# vi /etc/pam.d/password-auth

The following information are displayed.

auth        required      pam_env.so
auth        sufficient    pam_unix.so try_first_pass nullok
auth        required      pam_deny.so
account     required      pam_unix.so
#password   requisite     pam_cracklib.so try_first_pass retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=0 enforce_for_root
password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password    required      pam_deny.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

Add a comment tag (#) before the pam_cracklib.so line in the password-auth configuration file to comment out the line.

# vi /etc/pam.d/system-auth

The following information are displayed:

auth        required      pam_env.so
auth        sufficient    pam_unix.so try_first_pass nullok
auth        required      pam_deny.so
account     required      pam_unix.so
#password   requisite     pam_cracklib.so try_first_pass retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=0 enforce_for_root
#password   requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow use_authtok
password    required      pam_deny.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

Add a comment tag (#) before the pam_cracklib.so and pam_pwquality.so line in the system-auth configuration file to comment out the line.

Remove use_authtok parameter from this line:

password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow use_authtok

Parameter settings in the pam_cracklib.so and pam_pwquality.so line control user password complexity and enforce_for_root indicates that the password of the root user also needs to meet the password complexity requirements.

Note: Lowering the password complexity can bring risks to the systems.

You May Also Like