# Fail to enforce strong password policy with PAM



## redriver (Dec 23, 2016)

I have read https://www.freebsd.org/doc/handbook/security-intro.html, but I found *pam_passwdqc *does not work as I expected.
I want to enforce 4 kinds of character classes in password: digits, lower-case letters, upper-case letters, and others. So, I modify /etc/pam.d/passwd to be:

```
password        requisite       pam_passwdqc.so         min=disabled,disabled,disabled,disabled,8 similar=deny retry=3 enforce=everyone
```

But I found some issues:
1) The password cannot be used to login through ssh. sshd server always complains: "error: PAM: authentication error for test from 10.156.76.125"
2) I saw `passwd` command gives me a sample password, but it does not include digits. If I typed it, it was accepted. That is not what I expected.
3) If I specified a weak password, for example, 123456, I only saw a warning, but the system still accepts the weak password.

Anyone know why?


----------



## redriver (Jan 5, 2017)

I found 'pw' command is also used to set password, and that command does not enforce any password policy, as a result, users can walk around by using 'pw' to set a weak password, even if password cmd follows a strong policy. So, discussing strong password does not make any sense on FreeBSD.


----------



## SirDice (Jan 5, 2017)

The pw(8) tool can only be used by root to set a password. And root can set any password, regardless of policy.


```
The pw utility handles updating the
     passwd, master.passwd, group and the secure and insecure password data-
     base files, and must be run as root.
```


----------

