HowTo: Linux Check Password Strength With Cracklib-check Command

Using the same password on different servers allows attackers to access your accounts if cracker manage to steal your password from a less secure server. This is true for online website accounts too. So solution is to create unique passwords for server accounts like your email, sftp and ssh accounts. General guideline to create a strong and unique password is as follows:

Creating a strong and unique password for Linux or Unix-like systems

  1. Create a password with mix of numbers, special symbols, and alphabets.
  2. Make sure your password is hard to guess. You can use tool such as makepasswd to create hard to guess password.
  3. Do not use simple words like “password”, “123456”, “123abc” or “qwerty”.
  4. Use a unique password for all your server accounts.
  5. A minimum password length of 12 to 14 characters should be used. See how to configure CentOS / RHEL / Fedora Linux based server password quality requirements.
  6. Generating passwords randomly where feasible. You can do this with a simple shell script function.
  7. If possible use two-factor authentication.
  8. Use pam_crack to ensure strong passwords and to check passwords against a dictionary attack.

But, how do you test the effectiveness of a password in resisting guessing and brute-force attacks under Linux? The answer is simple use cracklib-check command.

Install cracklib on a Linux based system

Type the following yum command to install on RHEL and friends:
# yum install cracklib
Type the following apt-get command to install on Debian/Ubuntu and friends:
# apt-get install libcrack2

Say hello to cracklib-check

This command takes a list of passwords from keyboard (stdin) and checks them using libcrack2. The idea is simple: try to prevent users from choosing passwords that could be guessed by “crack” by filtering them out, at source.


Test a simple password like “password”, enter:
$ echo "password" | cracklib-check
Sample outputs:

password: it is based on a dictionary word

Try sequential patterns such as “abc123456”:
$ echo "abc123456" | cracklib-check
Sample outputs:

abc123456: it is too simplistic/systematic

Try a password with a mix of letters, numbers, and symbols:
$ echo 'i1oVe|DiZza' | cracklib-check
Sample outputs:

i1oVe|DiZza: OK

The above password increases the difficulty of guessing or cracking your password. I used a random phrase (easy to remember) “I Love Pizza” and inserted random characters to create a strong hard to guess password – “i1oVe|DiZza”.

Fig.01: Linux cracklib-check command examples

A note about security

The above examples all are insecure as passwords stored into your shell’s history file or displayed in ps command output. You can try following syntax:

Ctrl-D #Press CTRL + D to exit and see result

OR use the here strings to check a password


Sample outputs:

password: it is based on a dictionary word
i1oVe|DiZza: OK

So cracklib-check takes a list of passwords from stdin and checks them via libcrack2’s API for you.

Putting it all together

# A sample shell script to add user to the system
# Check password for strength 
# Written by Vivek Gite under GPL v2.x+
# ----------------------------------------------
read -p "Enter username : " user
read -sp "Enter password : " password
echo "Tesing password strength..."
result="$(cracklib-check <<<"$password")"
# okay awk is  bad choice but this is a demo 
okay="$(awk -F': ' '{ print $2}' <<<"$result")"
if [[ "$okay" == "OK" ]]
	echo "Adding a user account please wait..."
	/sbin/useradd -m -s /bin/bash $user
	echo "$user:$password" | /sbin/chpasswd
	echo "Your password was rejected - $result"
        echo "Try again."

A note about password manager

A reasonable compromise for using large numbers of passwords is to record them in a password manager, which include stand-alone applications, web browser extensions, or a manager built into the operating system. See how to install gpass – an easy to use and secure password manager for GNOME2 under RHEL / CentOS / Fedora Linux desktop. gpass stores all your password in an encrypted (Blowfish) file, protected by a master-password.

Check out related media

(Video:01 – How to create a strong password)
Recommended readings:

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 6 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
6 comments… add one
  • Florian Jul 23, 2012 @ 14:12

    And don’t forget that the best password is long and easy to remember (but hard to guess), aka the passphrase :

  • loomsen Jul 26, 2012 @ 8:26

    Nice idea, but unfortunately:

    doc@desktop:~$ cracklib-check <<<"foobarbazqux"
    foobarbazqux: OK

    It's not very reliable from a quick check imo.. But better than nothing, probably.

  • phaleon Oct 24, 2014 @ 19:26

    I did install “pass” 3 days ago and it seems to be a good password manager

  • Ashwani Soni May 14, 2015 @ 7:50

    Yes, nice work. but in mine system, Error is displayed: Please suggest

    Enter username : asd
    Enter password :
    Tesing password strength…

    Adding a user account please wait… line 21: /sbin/useradd: No such file or directory line 22: /sbin/chpasswd: No such file or directory
    [root@telone-test ~]#

  • Kamil Nov 29, 2015 @ 22:54

    “# okay awk is bad choice but this is a demo”

    why bad choice?

  • netikras Jan 8, 2017 @ 9:50

    umm… this is quite poor.

    netikras@netikras-xps ~ $ echo “password12321” | cracklib-check
    password12321: OK
    netikras@netikras-xps ~ $

    Also… I assume that the dict is only English. If I check “password” translated to, say, Lithuanian (“slaptazodis”) — cracklib says it’s OK.

    hacker is not always english-only speaker. I wouldn’t trust this on PROD or UAT or anything else publicly accessible.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum