How to change/disable password complexity test when changing password?

Question

I know that it is a "bad" idea, I know that it is not secure, I know. I searched the net for an answer and all I saw was whining that it's not good. But I like using Linux because it lets me make the system I want and like to use. The end of intro.

I try to change password:

user:~% passwd
Changing password for user.
(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
You must choose a longer password

If I try sudo passwd user then I can set any password I want so I don't need password complexity checks for passwd on my system.

After googling I've found that there should be PAM module pam_cracklib that tests password for complexity and it can be configured. But my PAM password settings doesn't include pam_cracklib:

% cat /etc/pam.d/passwd | grep '^[^#]'
@include common-password
% cat /etc/pam.d/common-password | grep '^[^#]'
password    [success=1 default=ignore]  pam_unix.so obscure sha512
password    requisite           pam_deny.so
password    required            pam_permit.so
password    optional    pam_gnome_keyring.so 

I guess that pam_unix makes this test... Oops... Guys, the moment I finished to write this sentence I've got an enlightenment and typed man pam_unix in terminal where I've found needed options for pam_unix module.

I just removed option obscure and added minlen=1 and now I'm happy. So now I have this line in /etc/pam.d/common-password:

password    [success=1 default=ignore]  pam_unix.so minlen=1 sha512

and I can set any password.

I decided to keep this post for people who might need this solution also.

Answer 1

Ok, I will answer my question :)

I've found that pam_unix module performs password complexity check and it can be configured.

man pam_unix:

   minlen=n
       Set a minimum password length of n characters. The default value is
       6. The maximum for DES crypt-based passwords is 8 characters.

   obscure
       Enable some extra checks on password strength. These checks are
       based on the "obscure" checks in the original shadow package. The
       behavior is similar to the pam_cracklib module, but for
       non-dictionary-based checks.

Solution:
Alter the line in the pam_unix module in the /etc/pam.d/common-password file to:

password    [success=1 default=ignore]  pam_unix.so minlen=1 sha512

It allows you to set any password with minimal length of 1.

Answer 2

If it is a once off, using the passwd command as root you can set a simple password for a user by simply entering the desired value, and then enter the password two times at the prompts.

john@workpad:~$ sudo bash
[sudo] password for john: 
root@workpad:/home/john# passwd john
New password: 
Retype new password: 
passwd: password updated successfully
root@workpad:/home/john# exit
exit
john@workpad:~$ 

Answer 3

Open the common-password config file for editing:

sudo -H gedit /etc/pam.d/common-password

Comment this line by adding the # character to the front as shown:

#password   [success=2 default=ignore]  pam_unix.so obscure use_authtok try_first_pass sha512

Also comment this line, otherwise password setting will ask you to pass a mix of upper/lower case letters:

#password   requisite           pam_passwdqc.so enforce=everyone max=18 min=disabled,8,8,1,1 retry=2 similar=deny

Now just add this line into the same file:

password    [success=1 default=ignore]  pam_unix.so minlen=1 sha512

this should do it...

Answer 4

For me on Ubuntu 21.04 in /etc/pam.d/common-password file:

1. Comment this line, because pwquality is an analogue of pam_cracklib for password restrictions

password requisite pam_pwquality.so retry=3

2. Change next line from

    password    [success=2 default=ignore]  pam_unix.so obscure use_authtok try_first_pass sha512
   

to

    password        [success=2 default=ignore]      pam_unix.so minlen=1 sha512

Answer 5

in /etc/pam.d/common-password change this line:

password requisite pam_pwquality.so retry=3

to

password requisite pam_pwquality.so dictcheck=0 retry=3 

means set dictcheck=0, it will ignore the dictionary check

Answer 6

I tried ALL of the methods on a machine with a strange and very strict installation using a manipulation resistant PAM.

On this machine, none of the tricks above helped to change the password of a local account (without windows domain) to some new value. The PAM rules always kicked in, even when using sudo passwd

Changes on the /etc/pam.d/common-password resulted in passwd failing alltogether due to 'manipulation error'.

My solution to it was to set the password on another machine on which I also have root access, then copy/paste the hashed value from the /etc/shadow from that machine to the other simply using sudo vi /etc/shadow . The strict PAM did not block that, and it works. (yes, I know it also copies the salt)

Answer 7

for Ubuntu 22.04 LTS

in /etc/pam.d/common-password change this line:

password requisite pam_pwquality.so retry=3

to

password requisite pam_pwquality.so retry=3 minlen=6