NAME

       pwquality.conf - configuration for the libpwquality library

SYNOPSIS

       /etc/security/pwquality.conf

DESCRIPTION

       pwquality.conf  provides  a  way  to  configure  the default password quality requirements for the system
       passwords. This file is read by the libpwquality library and utilities that use this library for checking
       and generating passwords.

       The file has a very simple name = value format with possible comments  starting  with  #  character.  The
       whitespace at the beginning of line, end of line, and around the = sign is ignored.

OPTIONS

       The possible options in the file are:

           difok
               Number  of  characters in the new password that must not be present in the old password. (default
               5)

           minlen
               Minimum acceptable size for the new password (plus one if credits are not disabled which  is  the
               default). (See pam_pwquality(8).)  Cannot be set to lower value than 6. (default 9)

           dcredit
               The maximum credit for having digits in the new password. If less than 0 it is the minimum number
               of digits in the new password. (default 1)

           ucredit
               The maximum credit for having uppercase characters in the new password.  If less than 0 it is the
               minimum number of uppercase characters in the new password. (default 1)

           lcredit
               The maximum credit for having lowercase characters in the new password.  If less than 0 it is the
               minimum number of lowercase characters in the new password. (default 1)

           ocredit
               The  maximum  credit  for  having other characters in the new password.  If less than 0 it is the
               minimum number of other characters in the new password. (default 1)

           minclass
               The minimum number of required classes of characters for the  new  password  (digits,  uppercase,
               lowercase, others). (default 0)

           maxrepeat
               The  maximum  number  of  allowed  same consecutive characters in the new password.  The check is
               disabled if the value is 0. (default 0)

           maxsequence
               The maximum length of monotonic character sequences  in  the  new  password.   Examples  of  such
               sequence are '12345' or 'fedcb'. Note that most such passwords will not pass the simplicity check
               unless  the sequence is only a minor part of the password.  The check is disabled if the value is
               0. (default 0)

           maxclassrepeat
               The maximum number of allowed consecutive characters of the same class in the new password.   The
               check is disabled if the value is 0. (default 0)

           gecoscheck
               If  nonzero,  check whether the words longer than 3 characters from the GECOS field of the user's
               passwd entry are contained in the new password.  The  check  is  disabled  if  the  value  is  0.
               (default 0)

           badwords
               Space  separated  list  of words that must not be contained in the password. These are additional
               words to the cracklib dictionary check. This setting can be also used by applications to  emulate
               the gecos check for user accounts that are not created yet.

           dictpath
               Path to the cracklib dictionaries. Default is to use the cracklib default.

SEE ALSO

       pwscore(1), pwmake(1), pam_pwquality(8)

AUTHORS

       Tomas Mraz <tmraz@redhat.com>

Red Hat, Inc.                                      10 Nov 2011                                 PWQUALITY.CONF(5)