1PWQCHECK(1) BSD General Commands Manual PWQCHECK(1)
2
4 pwqcheck — Check passphrase quality
5
7 pwqcheck [options]
8
10 The pwqcheck program checks passphrase quality using the libpasswdqc
11 library. By default, it expects to read 3 lines from standard input:
12 first line is a new password,
14 second line is an old password, and
15 third line is either an existing account name or a passwd(5) entry.
16 There are a number of supported options, which can be used to control the
18 pwqcheck behavior.
19 pwqcheck prints OK on success. Scripts invoking pwqcheck are suggested
21 to check for both a zero exit status and the OK line.
22
24 min=N0,N1,N2,N3,N4
25 (default: min=disabled,24,11,8,7) The minimum allowed password
26 lengths for different kinds of passwords/passphrases. The key‐
27 word disabled can be used to disallow passwords of a given kind
28 regardless of their length. Each subsequent number is required
29 to be no larger than the preceding one.
30 N0 is used for passwords consisting of characters from one char‐
32 acter class only. The character classes are: digits, lower-case
33 letters, upper-case letters, and other characters. There is also
34 a special class for non-ASCII characters, which could not be
35 classified, but are assumed to be non-digits.
36 N1 is used for passwords consisting of characters from two char‐
38 acter classes that do not meet the requirements for a passphrase.
39 N2 is used for passphrases. Note that besides meeting this
41 length requirement, a passphrase must also consist of a suffi‐
42 cient number of words (see the passphrase option below).
43 N3 and N4 are used for passwords consisting of characters from
45 three and four character classes, respectively.
46 When calculating the number of character classes, upper-case let‐
48 ters used as the first character and digits used as the last
49 character of a password are not counted.
50 In addition to being sufficiently long, passwords are required to
52 contain enough different characters for the character classes and
53 the minimum length they have been checked against.
54 max=N (default: max=40) The maximum allowed password length. This can
56 be used to prevent users from setting passwords that may be too
57 long for some system services. The value 8 is treated specially:
58 if max is set to 8, passwords longer than 8 characters will not
59 be rejected, but will be truncated to 8 characters for the
60 strength checks and the user will be warned. This is to be used
61 with the traditional DES-based password hashes, which truncate
62 the password at 8 characters.
63 It is important that you do set max=8 if you are using the tradi‐
65 tional hashes, or some weak passwords will pass the checks.
66 passphrase=N
68 (default: passphrase=3) The number of words required for a
69 passphrase.
70 match=N
72 (default: match=4) The length of common substring required to
73 conclude that a password is at least partially based on informa‐
74 tion found in a character string, or 0 to disable the substring
75 search. Note that the password will not be rejected once a weak
76 substring is found; it will instead be subjected to the usual
77 strength requirements with the weak substring partially dis‐
78 counted.
79 The substring search is case-insensitive and is able to detect
81 and remove a common substring spelled backwards.
82 config=FILE
84 Load config FILE in the passwdqc.conf format. This file may
85 define any options described in passwdqc.conf(5), but only the
86 min, max, passphrase, match, and config options are honored by
87 pwqcheck.
88 -1 Read just 1 line (new passphrase). This is needed to use
90 pwqcheck as the passwordcheck program on OpenBSD - e.g., with
91 ":passwordcheck=/usr/bin/pwqcheck -1:\" in the "default" section
92 in /etc/login.conf.
93 -2 Read just 2 lines (new and old passphrases).
95 --multi
97 Check multiple passphrases (until EOF). This option may be used
98 on its own or along with the -1 or -2 options. pwqcheck will
99 read 1, 2, or 3 lines and will output one line per passphrase to
100 check. The lines will start with either OK or a message explain‐
101 ing why the passphrase did not pass the checks, followed by a
102 colon and a space, and finally followed by the passphrase. The
103 explanatory message is guaranteed to not include a colon. With
104 this option, the exit status of pwqcheck depends solely on
105 whether there were any errors preventing the strength of
106 passphrases from being fully checked or not. A primary use for
107 this option is to test different policies and/or different ver‐
108 sions of passwdqc on large passphrase lists.
109 --version
111 Output pwqcheck program version and exit.
112 -h, --help
114 Output pwqcheck help text and exit.
115
117 pwqcheck exits with non-zero status when it encounters invalid config
118 file, invalid option, invalid parameter value, invalid data in standard
119 input, and in any case when it fails to check passphrase strength. With‐
120 out the --multi option, pwqcheck also exits with non-zero status when it
121 detects a weak passphrase.
122
124 /etc/passwdqc.conf.
125
127 pwqgen(1), passwd(5), passwdqc.conf(5), pam_passwdqc(8).
128 http://www.openwall.com/passwdqc/
130
132 The pam_passwdqc module was written for Openwall GNU/*/Linux by Solar
133 Designer. The pwqcheck program was originally written for ALT
134 GNU/*/Linux by Dmitry V. Levin, indirectly reusing code from pam_passwdqc
135 (via libpasswdqc). This manual page (derived from the pam_passwdqc docu‐
136 mentation) was written for Openwall GNU/*/Linux by Dmitry V. Levin.
137Openwall Project March 15, 2010 Openwall Project