Password similarity

dertoni asked:

I wanted to change my password on a unix machine. I did a normal “passwd” and typed in my old and my new password.

Then the machine came back to me with the following message:

BAD PASSWORD: is too similar to the old one

That got me thinking… Does that mean, the machine has my password in clear text somewhere? Otherwise it should not be able to compare the old and the new password, right? Or is there a hash function, that enables that?

My answer:

Your old passwords are not stored in plain text.

Instead, your old password hashes are stored in /etc/security/opasswd by PAM. It then makes the comparison when you go to change your password, based on what has been specified in the PAM configuration.

An example PAM config:

password required sha512 remember=12 use_authtok

Here, remember causes it to remember 12 previous passwords.

For further detail, see Linux Password Security with pam_cracklib.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.