1PWQCHECK(1)               BSD General Commands Manual              PWQCHECK(1)
2

NAME

4     pwqcheck — Check passphrase quality
5

SYNOPSIS

7     pwqcheck [options]
8

DESCRIPTION

10     The pwqcheck program checks passphrase quality using the libpasswdqc
11     library.  By default, it expects to read 3 lines from standard input:
12
13           first line is a new password,
14           second line is an old password, and
15           third line is either an existing account name or a passwd(5) entry.
16
17     There are a number of supported options, which can be used to control the
18     pwqcheck behavior.
19
20     pwqcheck prints OK on success.  Scripts invoking pwqcheck are suggested
21     to check for both a zero exit status and the OK line.
22

OPTIONS

24     min=N0,N1,N2,N3,N4
25             (default: min=disabled,24,11,8,7) The minimum allowed password
26             lengths for different kinds of passwords/passphrases.  The key‐
27             word disabled can be used to disallow passwords of a given kind
28             regardless of their length.  Each subsequent number is required
29             to be no larger than the preceding one.
30
31             N0 is used for passwords consisting of characters from one char‐
32             acter class only.  The character classes are: digits, lower-case
33             letters, upper-case letters, and other characters.  There is also
34             a special class for non-ASCII characters, which could not be
35             classified, but are assumed to be non-digits.
36
37             N1 is used for passwords consisting of characters from two char‐
38             acter classes that do not meet the requirements for a passphrase.
39
40             N2 is used for passphrases.  Note that besides meeting this
41             length requirement, a passphrase must also consist of a suffi‐
42             cient number of words (see the passphrase option below).
43
44             N3 and N4 are used for passwords consisting of characters from
45             three and four character classes, respectively.
46
47             When calculating the number of character classes, upper-case let‐
48             ters used as the first character and digits used as the last
49             character of a password are not counted.
50
51             In addition to being sufficiently long, passwords are required to
52             contain enough different characters for the character classes and
53             the minimum length they have been checked against.
54
55     max=N   (default: max=40) The maximum allowed password length.  This can
56             be used to prevent users from setting passwords that may be too
57             long for some system services.  The value 8 is treated specially:
58             if max is set to 8, passwords longer than 8 characters will not
59             be rejected, but will be truncated to 8 characters for the
60             strength checks and the user will be warned.  This is to be used
61             with the traditional DES-based password hashes, which truncate
62             the password at 8 characters.
63
64             It is important that you do set max=8 if you are using the tradi‐
65             tional hashes, or some weak passwords will pass the checks.
66
67     passphrase=N
68             (default: passphrase=3) The number of words required for a
69             passphrase.
70
71     match=N
72             (default: match=4) The length of common substring required to
73             conclude that a password is at least partially based on informa‐
74             tion found in a character string, or 0 to disable the substring
75             search.  Note that the password will not be rejected once a weak
76             substring is found; it will instead be subjected to the usual
77             strength requirements with the weak substring partially dis‐
78             counted.
79
80             The substring search is case-insensitive and is able to detect
81             and remove a common substring spelled backwards.
82
83     config=FILE
84             Load config FILE in the passwdqc.conf format.  This file may
85             define any options described in passwdqc.conf(5), but only the
86             min, max, passphrase, match, and config options are honored by
87             pwqcheck.
88
89     -1      Read just 1 line (new passphrase).  This is needed to use
90             pwqcheck as the passwordcheck program on OpenBSD - e.g., with
91             ":passwordcheck=/usr/bin/pwqcheck -1:\" in the "default" section
92             in /etc/login.conf.
93
94     -2      Read just 2 lines (new and old passphrases).
95
96     --multi
97             Check multiple passphrases (until EOF).  This option may be used
98             on its own or along with the -1 or -2 options.  pwqcheck will
99             read 1, 2, or 3 lines and will output one line per passphrase to
100             check.  The lines will start with either OK or a message explain‐
101             ing why the passphrase did not pass the checks, followed by a
102             colon and a space, and finally followed by the passphrase.  The
103             explanatory message is guaranteed to not include a colon.  With
104             this option, the exit status of pwqcheck depends solely on
105             whether there were any errors preventing the strength of
106             passphrases from being fully checked or not.  A primary use for
107             this option is to test different policies and/or different ver‐
108             sions of passwdqc on large passphrase lists.
109
110     --version
111             Output pwqcheck program version and exit.
112
113     -h, --help
114             Output pwqcheck help text and exit.
115

EXIT STATUS

117     pwqcheck exits with non-zero status when it encounters invalid config
118     file, invalid option, invalid parameter value, invalid data in standard
119     input, and in any case when it fails to check passphrase strength.  With‐
120     out the --multi option, pwqcheck also exits with non-zero status when it
121     detects a weak passphrase.
122

FILES

124     /etc/passwdqc.conf.
125

SEE ALSO

127     pwqgen(1), passwd(5), passwdqc.conf(5), pam_passwdqc(8).
128
129     http://www.openwall.com/passwdqc/
130

AUTHORS

132     The pam_passwdqc module was written for Openwall GNU/*/Linux by Solar
133     Designer.  The pwqcheck program was originally written for ALT
134     GNU/*/Linux by Dmitry V. Levin, indirectly reusing code from pam_passwdqc
135     (via libpasswdqc).  This manual page (derived from the pam_passwdqc docu‐
136     mentation) was written for Openwall GNU/*/Linux by Dmitry V. Levin.
137
138Openwall Project                March 15, 2010                Openwall Project
Impressum