LinuxCommandLibrary

cracklib-check

Check passwords against dictionary words

SYNOPSIS

cracklib-check PASSWORD

PARAMETERS

PASSWORD
    The plaintext password string to validate against CrackLib dictionaries.

DESCRIPTION

cracklib-check is a lightweight command-line utility from the CrackLib library for validating password quality. CrackLib maintains a dictionary of weak passwords derived from dictionary words, common names, keyboard patterns, and leaked credentials from breaches.

The tool takes a single password argument and checks it against pre-built dictionary files (typically /var/cache/cracklib/cracklib.pwdf). It outputs OK if the password is strong enough, or NG: reason if rejected, with reasons like:
it is too short
it is simplistic: systematic (e.g., '123456')
it uses dictionary word
it is on compromised list.

Checks include length, repetition, sequential characters, and offensiveness. It's integral to Linux systems for enforcing password policies via PAM modules like pam_pwquality or pam_cracklib during passwd or useradd operations. Dictionaries are built from wordlists using companion tools. On Debian/Ubuntu, install via libcrack2 or cracklib-runtime; Fedora uses cracklib. Ideal for scripts automating password validation.

CAVEATS

Requires pre-installed CrackLib dictionaries; path varies by distro (e.g., /usr/share/cracklib/, /var/lib/cracklib/). Fails silently if dictionaries missing. Not for interactive use; best in pipelines or scripts. Does not hash or store passwords.

EXIT STATUS

Returns 0 if OK, non-zero (typically 1) if NG.

EXAMPLE USAGE

cracklib-check 'password123'
NG: it uses dictionary word
cracklib-check 'Tr0ub4dor&3!'
OK

DICTIONARY BUILDING

Use cracklib-pwcat wordlist | cracklib-format dict.pwdf to create custom dictionaries.

HISTORY

Developed by Alec Muffett in 1993 as part of the 'Crack' password-cracking suite. CrackLib evolved into a standard proactive password checker, with cracklib-check introduced early for dictionary-based validation. Maintained in Linux distros since mid-1990s; modern versions support GPGPU acceleration via optional John the Ripper integration.

SEE ALSO

cracklib-format(1), cracklib-pwdfchk(1), pam_pwquality(8), passwd(1)

Copied to clipboard