I have a question regarding PAM in creating a complex password.

Passwords for classified systems must have the following characteristics:Minimum password length (8-characters), Password composition (mixture of characters/numbers, and upper/lower case) (i.e. complex or strong password)

Linux has some problems here in the way it uses credits. This is the string we have been using:
password required /lib/security/pam_cracklib.so retry=5 minlen=11 dcredit=1 ucredit=1 lcredit=1 ocredit=1 difok=2

NISPOM requires eight characters, minlen may =11, but Aa1!? may satisfy the password requirement.

So the question is what string do we need to ensure 8 characters is really the min length and the password meets complexity requirements. (try something Aa!1$$@ only 7 chars which is less than the required 8 but meets the complexity requirement)

Any help you can offer would be greatly appreciated!

I had a similar problem ... it turns out it was with the "credits" I was issueing. I was using a credit like you have: dcredit=1 .... this is not correct, it should be: dcredit=-1

*possibly* the reason why you can type in a seven character password (even though you specify minlen=11) at the command line is because you've ALREADY GIVEN CREDIT for 4 characters BEFORE the password is even entered (ucredit=1 lcredit=1 difok=2 == 4; 11 - 4 = 7).

You should change your line to look like this:

-- Tony

Just so you know, I was fighting for hours with PAM and minlength. I just read this and it solved all my problems. Thanks!

That did not work for me. I'm using RedHat Linux 8.0 and RedHat Linux 9.0 on 2 different systems. I have tried everything on both systems relating to system-auth, and I cannot get it to work. Any ideas?