Changing passwords is an essential practice to ensure the security of a system. Sometimes, Linux users and administrators try to change their passwords but get a message stating that the new password is bad. In particular, the message may say the password is too similar to the last one.
In this tutorial, we’ll explore workarounds and provide code snippets to help us overcome password similarity issues. Eventually, these methods lead us to successfully change our password.
2. Identifying the Problem
To change the password, we most often use the passwd command:
$ passwd Changing password for user Baeldung Changing password for Baeldung (current) UNIX password: New UNIX password: BAD PASSWORD: is too similar to the old one
Let’s understand the reason behind the BAD PASSWORD statement. For instance, let’s assume that the current password assigned to the user Baeldung is Sigma0 but we tried to change it to Sigma1. Because of how similar the passwords are, the operating system prevents us from switching to the new one.
In short, Linux implements password similarity restrictions as a security measure. This is to protect user accounts from potential vulnerabilities. In particular, there are several reasons to prevent a user from changing their password to a new but similar one:
- avoid password guessing
- forbid password reuse
- protect users from their own habits of choosing simple passwords
- partially eliminate weak passwords
By implementing password similarity restrictions, Linux aims to promote better password practices. Additionally, this aims to increase the resilience of user accounts against unauthorized access attempts.
After understanding the problem, we’ll shed light on a couple of workarounds that assist us to overcome the challenge explained.
Relaxing password requirements should be done with caution. Consequently, it may compromise the security of user accounts. It’s advisable to encourage users to choose strong, unique passwords. Moreover, users should understand the risks associated with similar passwords. This is to be aligned with the security policies.
3.1. Enabling root Privileges
- execute any command
- modify system files
- install software
- perform various critical tasks
However, for security reasons, it’s recommended to limit the direct use of the root account. Instead, best practices dictate the use of the sudo command to execute privileged operations.
Let’s check out how to switch to the root user:
$ su - Password: Last login: Sun Nov 14 05:08:21 PDT 2022 on tty2 # whoami root
Now, let’s try to change the password of user Baeldung from Sigma0 to Sigma1:
# passwd Baeldung New password: Retype new password: passwd: password updated successfully
In this case, we validate that the password-changing activity is successful.
Alternatively, we can use the sudo command directly to avoid entering root credentials. In essence, sudo provides a way to delegate specific administrative tasks without sharing the root password with other users:
$ whoami Baledung $ sudo passwd Changing password for user Baeldung (current) UNIX password: New UNIX password: passwd: password updated successfully
While the procedure is the same, we gain the superuser privileges via sudo and might only need to enter the current user’s password. Thus, we’re able to change that password successfully.
In addition, the specific availability and functionality of this method can vary. This depends on the Linux distribution and version we’re using. However, it works in working environments such as Ubuntu 14.
3.2. Double Password Change
If we want to change the Sigma0 password to a similar one like Sigma1, we can first assign a temporary password to our user:
$ whoami Baledung $ passwd Changing password for user Baeldung (current) UNIX password: New UNIX password: passwd: password updated successfully
In the above example, we change the password from Sigma0 to Alpha0. The operation is successful, as there are no similarities between the old and new passwords.
Now, let’s execute the passwd command again and change the password from Alpha0, which is the temporary password, to our preferred password, which is Sigma1:
$ passwd Changing password for user Baeldung (current) UNIX password: New UNIX password: passwd: password updated successfully
This workaround might contradict the configuration of the Pluggable Authentication Modules (PAM). This depends on the configuration applied to the PAM, as it varies from one environment to another.
Moreover, the deciding configured parameter in this case for RedHat-based systems would be the remember=N parameter. It resembles the number of old passwords to remember for each user. The default is 10, while 400 is an internal hard-coded maximum.
4. PAM Configurations
There are two important configuration files that control the functionality of the PAM:
- /etc/pam.conf – primary configuration file
- /etc/pam.d – configurations for individual PAM-aware applications
PAM-aware applications are specifically designed to utilize the capabilities provided by PAM.
In particular, the specific usage of the /etc/pam.d/system-auth file and the /etc/pam.d/common-password file can vary. This depends on the Linux distribution and the particular configuration of the system. The latter is commonly found in Debian-based distributions, while the former is used more in Red Hat Enterprise Linux and its derivatives.
Let’s understand how the system determines password similarity. Red Hat Enterprise Linux utilizes a feature called pam_cracklib to enforce password complexity rules.
To relax the password requirements and allow similar passwords, we can change the settings related to the pam_cracklib module. Let’s open the system-auth configuration file:
$ sudo vi /etc/pam.d/system-auth
Editing these files is only possible with root privileges. Hence, we use the sudo command. In addition, we chose the vi editor to enable us to edit the /etc/pam.d/system-auth file.
Now, we locate the line that includes the pam_cracklib.so module:
password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
Next, we modify the line by adding the difok=1 parameter:
password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=1
In the above line, we added difok=1 to specify the number of characters that must differ between the old and new passwords. Changing the value of difok enables us to control the level of similarity allowed between passwords.
Finally, similar options are available for other PAMs such as pam_pwquality.
In this article, we identified the problem of Linux rejecting a new password due to the high similarity between the new and old passwords.
Furthermore, we discussed some workarounds to overcome our problem. Finally, we went through how to edit the PAM files as a permanent fix to tackle our issue.