Glenn Johnson wrote:
> I have set up the password strength checking system using
>, set in /etc/pam.d/passwd. I have also set up password
> expiration.
> When a user issues the 'passwd' command, the password strength checking
> module works as expected. When a user logs in via the console after the
> password expiry time has passed, the login program prompts for a new
> password before the session begins. However, this password change has
> no strength check at all. Is there some other change I need to make to
> may pam configuration?

"Posted for someone who wishes to remain anyonyous":
I have this same problem.

With password strength checking in place, it drastically reduces
the search space that I need to cover in order to perform a brute
force attack, by disallowing a large portion of the space I would
otherwise need to pay attention to searching.

Without the strength checking on the password change, I have to
reexpand my search space to the entire search space, and it takes
a lot longer to crack passwords.

Please put a uniform "strength checking" algorithm in everywhere...

A. Hacker

8-) 8-).

-- Terry
_______________________________________________ mailing list
To unsubscribe, send any mail to ""