1PWQUALITY.CONF(5) File Formats Manual PWQUALITY.CONF(5)
2
6 pwquality.conf - configuration for the libpwquality library
7
9 /etc/security/pwquality.conf
10
12 pwquality.conf provides a way to configure the default password quality
13 requirements for the system passwords. This file is read by the libp‐
14 wquality library and utilities that use this library for checking and
15 generating passwords.
16 The file has a very simple name = value format with possible comments
18 starting with # character. The whitespace at the beginning of line, end
19 of line, and around the = sign is ignored.
20
23 The possible options in the file are:
24 difok
26 Number of characters in the new password that must not be
27 present in the old password. (default 5)
28 minlen
30 Minimum acceptable size for the new password (plus one if cred‐
31 its are not disabled which is the default). (See pam_pwqual‐
32 ity(8).) Cannot be set to lower value than 6. (default 9)
33 dcredit
35 The maximum credit for having digits in the new password. If
36 less than 0 it is the minimum number of digits in the new pass‐
37 word. (default 1)
38 ucredit
40 The maximum credit for having uppercase characters in the new
41 password. If less than 0 it is the minimum number of uppercase
42 characters in the new password. (default 1)
43 lcredit
45 The maximum credit for having lowercase characters in the new
46 password. If less than 0 it is the minimum number of lowercase
47 characters in the new password. (default 1)
48 ocredit
50 The maximum credit for having other characters in the new pass‐
51 word. If less than 0 it is the minimum number of other charac‐
52 ters in the new password. (default 1)
53 minclass
55 The minimum number of required classes of characters for the
56 new password (digits, uppercase, lowercase, others). (default
57 0)
58 maxrepeat
60 The maximum number of allowed same consecutive characters in
61 the new password. The check is disabled if the value is 0.
62 (default 0)
63 maxsequence
65 The maximum length of monotonic character sequences in the new
66 password. Examples of such sequence are '12345' or 'fedcb'.
67 Note that most such passwords will not pass the simplicity
68 check unless the sequence is only a minor part of the password.
69 The check is disabled if the value is 0. (default 0)
70 maxclassrepeat
72 The maximum number of allowed consecutive characters of the
73 same class in the new password. The check is disabled if the
74 value is 0. (default 0)
75 gecoscheck
77 If nonzero, check whether the words longer than 3 characters
78 from the GECOS field of the user's passwd entry are contained
79 in the new password. The check is disabled if the value is 0.
80 (default 0)
81 badwords
83 Space separated list of words that must not be contained in the
84 password. These are additional words to the cracklib dictionary
85 check. This setting can be also used by applications to emulate
86 the gecos check for user accounts that are not created yet.
87 dictpath
89 Path to the cracklib dictionaries. Default is to use the crack‐
90 lib default.
91
94 pwscore(1), pwmake(1), pam_pwquality(8)
95
98 Tomas Mraz <tmraz@redhat.com>
99Red Hat, Inc. 10 Nov 2011 PWQUALITY.CONF(5)