# OpenPAM and cracklib



## gallo (May 8, 2013)

Hello guys,

My team and I had a nice idea to improve the Linux-PAM's pam_cracklib with a new algorithm for similarity. However we are due to decide whether we will stick to Linux-PAM or go to BSD's OpenPAM.

We are especially interested in the way a password is checked for similarity with the previous when user issues a `passwd`.

Any thoughts? 

How is this accomplished with OpenPAM, as apparently there is no pam_cracklib.so module?

Best,
Roberto


----------



## SirDice (May 8, 2013)

I think you're looking for pam_passwdqc(9).

It looks like it already has the functionality you're looking for:

```
similar=permit|deny
             (similar=deny) Whether a new password is allowed to be similar to
             the old one.  The passwords are considered to be similar when
             there is a sufficiently long common substring and the new pass-
             word with the substring removed would be weak.
```


----------



## mix_room (May 10, 2013)

Just out of curiosity: how does the PAM module determine what the substring of the previous password was? If I remember correctly the passwords aren't typically stored in plain-text. One would thus either have to reverse the hashing, or store a plain-text copy. Or does it just compare to the latest one, which the user has entered?


----------



## Beeblebrox (May 10, 2013)

For best results, you should ask that question to the port maintainer AND the FreeBSD security team.


----------



## gallo (May 11, 2013)

*Comparison*

Thank you guys!



			
				mix_room said:
			
		

> Just out of curiosity: how does the PAM module determine what the substring of the previous password was? If I remember correctly the passwords aren't typically stored in plain-text. One would thus either have to reverse the hashing, or store a plain-text copy. Or does it just compare to the latest one, which the user has entered?



When you change your password you are required to type the current AND the new password, so it is easy to make the comparison. Of course, storing the old password in plain-text form would be a major security issue.

Best,


----------



## kpa (May 11, 2013)

Not to mention that the default passwd(5) backend has no means of storing the clear text passwords.


----------

