cracklib-format

cracklib-format [OPTION]... [FILE]

-h, --help
    Display usage message and exit

-V, --version
    Print version information and exit

-o, --output=FILE
    Write output to FILE instead of stdout

FILE
    Read words from FILE; default is stdin

cracklib-format is a utility from the Cracklib library, designed to prepare wordlists for use in password strength validation. It reads a stream of unique, sorted words (one per line) from standard input or a specified file, computes a proprietary checksum for each word, and outputs lines in the format "word:checksum". This output is typically piped to cracklib-packer to create the final dictionary files (pw_dict.h and associated .pwd files) used by applications like passwd or useradd for rejecting weak passwords.

The command ensures efficient storage and fast lookups in Cracklib's probabilistic dictionary. Input must be pre-sorted and deduplicated (e.g., via sort -u) to avoid errors or duplicates. It handles large wordlists but may consume significant memory for very big inputs. Commonly used to build system-wide dictionaries from sources like SCOWL or custom lists, enhancing security against dictionary attacks.

Input must be sorted and unique (sort -u first); large files need substantial RAM; output requires cracklib-packer to complete dictionary.

sort -u /usr/share/dict/words | cracklib-format -o cracklib.dict
cracklib-packer cracklib.dict pw_dict.h

Each line: "lowercase_word:32-bit_checksum"; checksum enables fast offensive guessing detection.

Developed by Alec Muffett in the early 1990s as part of Cracklib for proactive password checking on Unix systems; evolved through versions like cracklib2, integrated into major distros (e.g., Red Hat, Debian) for PAM modules.

cracklib-check(1), cracklib-packer(8), pwck(8)