cracklib-check

cracklib-check

cracklib-check is a fundamental utility within the CrackLib library, designed to assess the robustness of user-supplied passwords. Its primary function is to help enforce strong password policies on Unix-like systems.
The command operates by performing a series of sophisticated checks:
It compares the input password against an extensive dictionary of commonly used words, names, and patterns stored in its internal databases.
It applies various heuristic rules to detect simple permutations, repetitions, keyboard patterns, and other easily guessable structures.
It also checks for passwords that are too short, too simple, or mirror user information.
cracklib-check reads the password from standard input and outputs a message to standard output indicating whether the password is "OK" or providing a specific reason for its rejection (e.g., "it is based on a dictionary word," "it is too short").
This tool is crucial for system administrators to prevent users from selecting insecure passwords that could be easily compromised by dictionary attacks or brute-force methods, thereby enhancing overall system security.

The effectiveness of cracklib-check is heavily reliant on the comprehensiveness and currency of its installed dictionary files. An outdated or incomplete dictionary may allow weaker passwords to pass.
While it provides a crucial first line of defense, it is not a standalone solution for password security. Systems should also employ other security measures like strong encryption, rate limiting, and multi-factor authentication.
It checks for common weaknesses but cannot detect if a password has been previously compromised in a data breach, which requires checking against breach databases.

cracklib-check reads the password to be analyzed from standard input (STDIN), one password per line. It then prints a message to standard output (STDOUT). If the password is deemed strong enough, the output is typically 'OK'. Otherwise, a descriptive message indicating the reason for rejection (e.g., 'it is too short', 'it is based on a dictionary word', 'it is too simplistic/systematic') is provided.
The command's exit status is 0 if the password is acceptable, and non-zero (typically 1) if it is rejected.

The effectiveness of cracklib-check relies on its extensive dictionary files. These files, typically located in directories such as /usr/share/cracklib/, contain lists of common words, names, and patterns. Key files include pw_dict.pwd and pw_dict.pwi, which are indexed dictionary databases created from larger wordlists using cracklib-packer(8).

CrackLib, including the cracklib-check utility, was originally developed by Alec Muffett in the early 1990s. Its primary motivation was to provide a robust, open-source solution for enforcing stronger password policies on Unix and Unix-like operating systems. It quickly became a standard component in many Linux distributions and other systems, widely used to prevent users from choosing easily guessable passwords, thus significantly enhancing system security practices from the user-facing side.

passwd(1), cracklib(3), pam_cracklib(8)