115

I know that it is a "bad" idea, I know that it is not secure, I know. I searched the net for an answer and all I saw was whining that it's not good. But I like using Linux because it lets me make the system I want and like to use. The end of intro.

I try to change password:

user:~% passwd Changing password for user. (current) UNIX password: Enter new UNIX password: Retype new UNIX password: You must choose a longer password

If I try sudo passwd user then I can set any password I want so I don't need password complexity checks for passwd on my system.

After googling I've found that there should be PAM module pam_cracklib that tests password for complexity and it can be configured. But my PAM password settings doesn't include pam_cracklib:

% cat /etc/pam.d/passwd | grep '^[^#]' @include common-password % cat /etc/pam.d/common-password | grep '^[^#]' password [success=1 default=ignore] pam_unix.so obscure sha512 password requisite pam_deny.so password required pam_permit.so password optional pam_gnome_keyring.so

I guess that pam_unix makes this test... Oops... Guys, the moment I finished to write this sentence I've got an enlightenment and typed man pam_unix in terminal where I've found needed options for pam_unix module.

I just removed option obscure and added minlen=1 and now I'm happy. So now I have this line in /etc/pam.d/common-password:

password [success=1 default=ignore] pam_unix.so minlen=1 sha512

and I can set any password.

I decided to keep this post for people who might need this solution also.

Improve this question
8
  • 4
    I simply wanted to change my pwd to 123. Couldn't do that with passwd. Tried "sudo passwd <user_name>" and it worked like charm. Didn't need rest of the mumbo-jumbo. Thanks for that part! : ) Commented Oct 2, 2013 at 13:22
  • 4
    Great Intro. I have a windows laptop that spends 50% cpu cycles protecting me from viruses. Guess what? Do not need any viruses. The computer is already worthless. So .. linux lets us do what we want. I'm behind a firewall and the computer does not leave my home. Short password? Yes please. Commented Dec 3, 2016 at 6:28
  • 1
    @rslnx I think when you're posting your question it gives you the option to provide an answer immediately; I think the 8 hour delay is only there if you don't post your Q/A pair at the same time Commented Jul 15, 2019 at 15:03
  • 2
    WestCoastProjects used to be correct, Linux used to let us do what we want, which is exactly the problem here. It can feel free to give a warning about using a password that it considers weak and isn't up to its standards, but it shouldn't block us from using one, especially, since Linux users usually know what they're doing. 🤦 Commented Jun 12, 2021 at 14:56
  • 1
    This also bothered me. I could create a password like "abe123!" but not "abe123Vulkan!", because the word "Vulkan" failed the dictionary check. This seems strange to me, because 2nd password is longer and also contains an upper-case letter. I feel like the Linux behaviour should default to a warning when password is too easy to crack, and not an error. Besides - you want the pc password to be easy to remember, and not something like "!yHf*_6/@hYf9" Commented Feb 20, 2023 at 13:26

8 Answers 8

Reset to default
87

Ok, I will answer my question :)

I've found that pam_unix module performs password complexity check and it can be configured.

man pam_unix:

 minlen=n Set a minimum password length of n characters. The default value is 6. The maximum for DES crypt-based passwords is 8 characters. obscure Enable some extra checks on password strength. These checks are based on the "obscure" checks in the original shadow package. The behavior is similar to the pam_cracklib module, but for non-dictionary-based checks.

Solution:
Alter the line in the pam_unix module in the /etc/pam.d/common-password file to:

password [success=1 default=ignore] pam_unix.so minlen=1 sha512

It allows you to set any password with minimal length of 1.

Improve this answer
3
  • 1
    Related details on password complexity: askubuntu.com/questions/244115/… Commented Sep 24, 2019 at 21:31
  • 5
    Bonus hint: remove the obscure option if present. Commented Apr 6, 2022 at 9:50
  • 1
    Ubuntu 20.20 : after setting min len to 3, I entered new pass. It threw message that min pass length is 8. I typed pass again. It said password set. So ignore warning if you have. It will work Commented Aug 23, 2023 at 1:39
60

If it is a once off, using the passwd command as root you can set a simple password for a user by simply entering the desired value, and then enter the password two times at the prompts.

john@workpad:~$ sudo bash [sudo] password for john: root@workpad:/home/john# passwd john New password: Retype new password: passwd: password updated successfully root@workpad:/home/john# exit exit john@workpad:~$
Improve this answer
2
  • 10
    He means doing sudo su && passwd username then Linux will allow you to use any password you would like. Commented Aug 15, 2019 at 1:35
  • 6
    Note that you will still get the warning "BAD PASSWORD", but this lets you change the password anyway. Commented Sep 30, 2022 at 9:40
18

Open the common-password config file for editing:

sudo -H gedit /etc/pam.d/common-password

Comment this line by adding the # character to the front as shown:

#password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512

Also comment this line, otherwise password setting will ask you to pass a mix of upper/lower case letters:

#password requisite pam_passwdqc.so enforce=everyone max=18 min=disabled,8,8,1,1 retry=2 similar=deny

Now just add this line into the same file: 

password [success=1 default=ignore] pam_unix.so minlen=1 sha512

this should do it...

Improve this answer
2
  • FYI, there is no pam_passwdqc.so line in my default install of 14.04 server. Maybe someone (admin?) added it on purpose? ;) Commented Aug 29, 2014 at 8:40
  • 1
    correct answer for ubuntu 22.04 Commented Mar 1, 2023 at 10:20
4

For me on Ubuntu 21.04 in /etc/pam.d/common-password file:

  1. Comment this line, because pwquality is an analogue of pam_cracklib for password restrictions

password requisite pam_pwquality.so retry=3

  1. Change next line from

     password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512

to

 password [success=2 default=ignore] pam_unix.so minlen=1 sha512
Improve this answer
4

in /etc/pam.d/common-password change this line:

password requisite pam_pwquality.so retry=3

to

password requisite pam_pwquality.so dictcheck=0 retry=3

means set dictcheck=0, it will ignore the dictionary check

Improve this answer
1
  • i finished with sudo apt-get purge libpam-pwquality :) Commented Dec 1, 2022 at 8:11
1

I tried ALL of the methods on a machine with a strange and very strict installation using a manipulation resistant PAM.

On this machine, none of the tricks above helped to change the password of a local account (without windows domain) to some new value. The PAM rules always kicked in, even when using sudo passwd

Changes on the /etc/pam.d/common-password resulted in passwd failing alltogether due to 'manipulation error'.

My solution to it was to set the password on another machine on which I also have root access, then copy/paste the hashed value from the /etc/shadow from that machine to the other simply using sudo vi /etc/shadow . The strict PAM did not block that, and it works. (yes, I know it also copies the salt)

Improve this answer
1

for Ubuntu 22.04 LTS

in /etc/pam.d/common-password change this line:

password requisite pam_pwquality.so retry=3

to

password requisite pam_pwquality.so retry=3 minlen=6

Improve this answer
3
  • 1
    There is already an answer that has been accepted. How is yours an improvement? This is an 11 year old question. Many things have changed in Ubuntu in the last 11 years. Commented Apr 4, 2023 at 9:33
  • Changing pam_pwquality.so is already mentioned in askubuntu.com/a/1430471/158442 Commented Jul 5, 2023 at 10:21
  • This helped me, exact instructions for ubuntu 22 Commented May 8, 2024 at 0:56
0

I found the easiest way, on Ubuntu at least, to be running sudo pam-auth-update. This will guide you and update the PAM config files accordingly.

To disable the password strength check, uncheck this option in the list:

[ ] Pwquality password strength checking

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.