How to change/disable password complexity test when changing password?

Question

I know that it is a "bad" idea, I know that it is not secure, I know. I searched the net for an answer and all I saw was whining that it's not good. But I like using Linux because it lets me make the system I want and like to use. The end of intro.

I try to change password:

user:~% passwd
Changing password for user.
(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
You must choose a longer password

If I try sudo passwd user then I can set any password I want so I don't need password complexity checks for passwd on my system.

After googling I've found that there should be PAM module pam_cracklib that tests password for complexity and it can be configured. But my PAM password settings doesn't include pam_cracklib:

% cat /etc/pam.d/passwd | grep '^[^#]'
@include common-password
% cat /etc/pam.d/common-password | grep '^[^#]'
password    [success=1 default=ignore]  pam_unix.so obscure sha512
password    requisite           pam_deny.so
password    required            pam_permit.so
password    optional    pam_gnome_keyring.so

I guess that pam_unix makes this test... Oops... Guys, the moment I finished to write this sentence I've got an enlightenment and typed man pam_unix in terminal where I've found needed options for pam_unix module.

I just removed option obscure and added minlen=1 and now I'm happy. So now I have this line in /etc/pam.d/common-password:

password    [success=1 default=ignore]  pam_unix.so minlen=1 sha512

and I can set any password.

I decided to keep this post for people who might need this solution also.

I can't answer my own question for 8 hours after asking, will wait :) — wobmene, Mar 17 '12 at 11:47
I simply wanted to change my pwd to 123. Couldn't do that with passwd. Tried "sudo passwd <user_name>" and it worked like charm. Didn't need rest of the mumbo-jumbo. Thanks for that part! : ) — zeFree, Oct 02 '13 at 13:22
@zeFree, the key point of my solution is allowing any user (not having sudo permissions) to use simple passwords — wobmene, Oct 04 '13 at 20:29
Great Intro. I have a windows laptop that spends 50% cpu cycles protecting me from viruses. Guess what? Do not need any viruses. The computer is already worthless. So .. linux lets us do what we want. I'm behind a firewall and the computer does not leave my home. Short password? Yes please. — WestCoastProjects, Dec 03 '16 at 06:28
@rslnx I think when you're posting your question it gives you the option to provide an answer immediately; I think the 8 hour delay is only there if you don't post your Q/A pair at the same time — jrh, Jul 15 '19 at 15:03
Also the 11.10 tag doesn't seem necessary, this is still relevant in 18.04; since this is a pretty low level thing it probably won't be changing anytime soon. — jrh, Jul 15 '19 at 15:33
WestCoastProjects used to be correct, Linux used to let us do what we want, which is exactly the problem here. It can feel free to give a warning about using a password that it considers weak and isn't up to its standards, but it shouldn't block us from using one, especially, since Linux users usually know what they're doing. — Synetech, Jun 12 '21 at 14:56
This also bothered me. I could create a password like "abe123!" but not "abe123Vulkan!", because the word "Vulkan" failed the dictionary check. This seems strange to me, because 2nd password is longer and also contains an upper-case letter. I feel like the Linux behaviour should default to a warning when password is too easy to crack, and not an error. Besides - you want the pc password to be easy to remember, and not something like "!yHf*_6/@hYf9" — alexpanter, Feb 20 '23 at 13:26

score 83 · Accepted Answer · edited Aug 21 '17 at 15:36

83

Ok, I will answer my question :)

I've found that pam_unix module performs password complexity check and it can be configured.

man pam_unix:

   minlen=n
       Set a minimum password length of n characters. The default value is
       6. The maximum for DES crypt-based passwords is 8 characters.

   obscure
       Enable some extra checks on password strength. These checks are
       based on the "obscure" checks in the original shadow package. The
       behavior is similar to the pam_cracklib module, but for
       non-dictionary-based checks.

Solution:
Alter the line in the pam_unix module in the /etc/pam.d/common-password file to:

password    [success=1 default=ignore]  pam_unix.so minlen=1 sha512

It allows you to set any password with minimal length of 1.

edited Aug 21 '17 at 15:36

Nav

1,059

answered Mar 19 '12 at 13:13

wobmene

1,981

1

Related details on password complexity: https://askubuntu.com/questions/244115/how-do-i-enforce-a-password-complexity-policy/244117#244117 – Kevin Bowen Sep 24 '19 at 21:31
3

Bonus hint: remove the obscure option if present. – garlix Apr 06 '22 at 09:50
1

Ubuntu 20.20 : after setting min len to 3, I entered new pass. It threw message that min pass length is 8. I typed pass again. It said password set. So ignore warning if you have. It will work – amol goel Aug 23 '23 at 01:39

score 54 · Answer 2 · edited Nov 24 '21 at 05:06

54

If it is a once off, using the passwd command as root you can set a simple password for a user by simply entering the desired value, and then enter the password two times at the prompts.

john@workpad:~$ sudo bash
[sudo] password for john: 
root@workpad:/home/john# passwd john
New password: 
Retype new password: 
passwd: password updated successfully
root@workpad:/home/john# exit
exit
john@workpad:~$

edited Nov 24 '21 at 05:06

John Mee

953
1
8
18

answered Mar 11 '15 at 04:29

sweetfa

1,101

9

He means doing sudo su && passwd username then Linux will allow you to use any password you would like. – user Aug 15 '19 at 01:35
5

Note that you will still get the warning "BAD PASSWORD", but this lets you change the password anyway. – Flimm Sep 30 '22 at 09:40

score 18 · Answer 3 · edited Dec 09 '19 at 13:53

18

Open the common-password config file for editing:

sudo -H gedit /etc/pam.d/common-password

Comment this line by adding the # character to the front as shown:

#password   [success=2 default=ignore]  pam_unix.so obscure use_authtok try_first_pass sha512

Also comment this line, otherwise password setting will ask you to pass a mix of upper/lower case letters:

#password   requisite           pam_passwdqc.so enforce=everyone max=18 min=disabled,8,8,1,1 retry=2 similar=deny

Now just add this line into the same file:

password    [success=1 default=ignore]  pam_unix.so minlen=1 sha512

this should do it...

edited Dec 09 '19 at 13:53

Eliah Kagan

117,780

answered Mar 03 '14 at 04:09

Puttaraju

281
2
3

FYI, there is no pam_passwdqc.so line in my default install of 14.04 server. Maybe someone (admin?) added it on purpose? ;) – Tomofumi Aug 29 '14 at 08:40
1

correct answer for ubuntu 22.04 – Suhas.s Mar 01 '23 at 10:20

score 4 · Answer 4 · edited May 09 '22 at 14:11

For me on Ubuntu 21.04 in /etc/pam.d/common-password file:

Comment this line, because pwquality is an analogue of pam_cracklib for password restrictions

password requisite pam_pwquality.so retry=3

Change next line from

 password    [success=2 default=ignore]  pam_unix.so obscure use_authtok try_first_pass sha512

to

    password        [success=2 default=ignore]      pam_unix.so minlen=1 sha512

score 1 · Answer 5 · answered Jul 07 '22 at 08:53

I tried ALL of the methods on a machine with a strange and very strict installation using a manipulation resistant PAM.

On this machine, none of the tricks above helped to change the password of a local account (without windows domain) to some new value. The PAM rules always kicked in, even when using sudo passwd

Changes on the /etc/pam.d/common-password resulted in passwd failing alltogether due to 'manipulation error'.

My solution to it was to set the password on another machine on which I also have root access, then copy/paste the hashed value from the /etc/shadow from that machine to the other simply using sudo vi /etc/shadow . The strict PAM did not block that, and it works. (yes, I know it also copies the salt)

score 1 · Answer 6 · answered Sep 21 '22 at 05:36

1

in /etc/pam.d/common-password change this line:

password requisite pam_pwquality.so retry=3

to

password requisite pam_pwquality.so dictcheck=0 retry=3

means set dictcheck=0, it will ignore the dictionary check

answered Sep 21 '22 at 05:36

jazeb007

191

i finished with sudo apt-get purge libpam-pwquality :) – zb' Dec 01 '22 at 08:11

score -1 · Answer 7 · answered Apr 04 '23 at 08:01

-1

for Ubuntu 22.04 LTS

in /etc/pam.d/common-password change this line:

password requisite pam_pwquality.so retry=3

to

password requisite pam_pwquality.so retry=3 minlen=6

answered Apr 04 '23 at 08:01

Deali

1

1

There is already an answer that has been accepted. How is yours an improvement? This is an 11 year old question. Many things have changed in Ubuntu in the last 11 years. – David Apr 04 '23 at 09:33
Changing pam_pwquality.so is already mentioned in https://askubuntu.com/a/1430471/158442 – muru Jul 05 '23 at 10:21

How to change/disable password complexity test when changing password?

7 Answers7

Linked