I wanted to change my password on a unix machine. I did a normal “passwd” and typed in my old and my new password.
Then the machine came back to me with the following message:
BAD PASSWORD: is too similar to the old one
That got me thinking… Does that mean, the machine has my password in clear text somewhere? Otherwise it should not be able to compare the old and the new password, right? Or is there a hash function, that enables that?
Your old passwords are not stored in plain text.
Instead, your old password hashes are stored in
/etc/security/opasswd by PAM. It then makes the comparison when you go to change your password, based on what has been specified in the PAM configuration.
An example PAM config:
password required pam_unix.so sha512 remember=12 use_authtok
remember causes it to remember 12 previous passwords.
For further detail, see Linux Password Security with pam_cracklib.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.