Linux check passwords against a dictionary attack

Dictionary attack is used for detecting password.

Wikipedia defines:
A dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching a large number of possibilities.

A dictionary attack also exploits the tendency of people to choose weak passwords, and is related to the previous attack. Password cracking programs usually come equipped with “dictionaries”, or word lists, with thousands or even millions of entries of several kinds, including:
=> Words in various languages
=> names of people
=> Places
=> Commonly used passwords etc

However you can use the existence of these dictionary attack tools demonstrates the relative strengths of different password choices against such attacks.

Check user passwords against a dictionary attack

You can be configured to verify that passwords (read as weak password) cannot be guessed easily using Linux PAM module called It will check the passwd against dictionary words. User is not allowed to set new password until and unless conditions satisfied (i.e. weak password is not allowed).

Open password configuration file according to your Linux distribution. And make modification as follows.

Redhat/Fedora/CentOS Linux

cracklib PAM module is installed by default so no need to install anything. Just open config file:
# vi /etc/pam.d/system-auth
Append/modify as follows:
password required /lib/security/ retry=2 minlen=10 difok=6

Debian or Ubentu Linux

First install libpam-cracklib PAM module to enable cracklib support.
# apt-get install libpam-cracklib
$ sudo install libpam-cracklib
Now open config file:
# vi /etc/pam.d/system-auth
Append/modify as follows:
password required retry=2 minlen=10 difok=6

Save and close the file


  • retry=2 : Prompt user at most 2 times before returning with error
  • minlen=10 : minimum length allowed for an account password is set to 10 characters. This is the minimum simplicity count for a good password. And you are allowed only 2 times using retry option.
  • difok=6: How many characters can be the same in the new password relative to the old. User will see error – BAD PASSWORD: is too similar to the old one
  • You can also apply following options to compute the ‘unsimplicity’ of the password.
    • dcredit=N : Digits characters
    • ucredit=N : Upper characters
    • lcredit=N : Lower characters
    • ocredit=N : Other characters

Please note that restrictions are only applied to normal users (not to root user).

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 5 comments so far... add one
CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
5 comments… add one
  • HT Aug 5, 2011 @ 18:56

    When a user’s password is expired and need to enter the new password. However the user does not the password complexity set by the PAM, i.e. uppercase letter, lowercase letter and alphanumeric value. Is there a way to prompt the user for password but also display the text telling the user what the password complexity is? Is this a good practice to tell the user the password complexity setting?

    • csa Jul 10, 2014 @ 16:45

      @HT No, that will make a cracker job easier!

      • Sunny Sep 14, 2015 @ 15:49

        @csa: How it will make the cracker job easier?

        • Jim Klimov Oct 6, 2015 @ 14:52

          Brute-forcing passwords is a huge job of trying out millions of combinations. Openly leaking the rulesets, such as constraining that only combinations from 8 to 12 characters are valid, and that at least one must be a number (so no more than 7 to 11 are other chars) etc. greatly reduces the amount of plausible variants for the cracker to try and so he (or she, or it) might come up with a match much faster.

  • Mask Jan 10, 2017 @ 23:54

    How do you ensure that a password is not the same as the username?
    – we are using Redhat Linux 6.5

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum