# How to force passwd to accept easy passwords ?

## devnull0000

I hate security... after latest emerge --sync & world update something became broken for me and my almost trivial passwords don't work

(from root)

passwd <my_user>

doesn't want to accept something easy like 0000 and teaches me security.

Do you know how to fix this ? 

I tried to build shadow with cracklib disabled but no luck so far, editng of /etc/pam.d/system-auth also has no any effect.

I want to control my machine, not allow machine to control me... that's why I use linux & gentoo

In the end I may end up debugging the passwd utility but it may take too long and I hope there is a way.Last edited by devnull0000 on Sun Aug 16, 2020 5:02 pm; edited 1 time in total

----------

## devnull0000

nevermind, I found it

comment out with # the line from /etc/pam.d/system-auth

password       required        pam_passwdqc.so min=8,8,8,8,8 retry=3

and making next one

to be

password        required        pam_unix.so nullok sha512 shadow

instead of 

password       required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow 

made me happy.

----------

## proteusx

I hate security too and here is  my solution to cripple pam and make it let me in without asking for a password.

I have added as the top line: 

```
 auth    sufficient      pam_permit.so
```

 to /etc/pam.d/login as well every module that nags me for a password (e.g. su,sshd, system-login, etc.)

----------

## Banana

I hope you know what you are doing and to everybody else: Don't

----------

## proteusx

 *Banana wrote:*   

> ...and to everybody else: Don't

 

Indeed, do not, or nasty Corona will get into your computer and might get you too; and we do not want that. Do we, children?

----------

## Hu

 *devnull0000 wrote:*   

> I hate security... after latest emerge --sync & world update something became broken for me and my almost trivial passwords don't work
> 
> 

 My first guess would be that you had previously overridden basic system security policy and your recent update included a configuration file change that, once merged, reverted you to recommended defaults.  My second guess would be that a recent update improved the defaults.

proteusx: there is no need to get sarcastic here.  Banana was trying to be helpful, by informing future readers that the change described here is not one to be applied without a proper understanding of the consequences.  Those consequences may not be obvious since they apply only when a password change would otherwise be rejected for poor quality, and the result is an acceptance where the recommended default would be a denial.

----------

## Tony0945

You should use strong randomly generated passwords. To log in via ssh without a password,  see https://wiki.gentoo.org/wiki/SSH#Connecting_to_a_distant_SSH_server

It's not really passwordless, your computer remembers the password for you and automatically sends it.

For passwordless X login, search this forum. There were some recent posts.  Maybe some kind person will post links.

Don't use 000 or abc, Linux can be destroyed by attackers. I understand your disdain for the security fetish, but take reasonable precautions against someone else.  I've memorized my X password (not random but a long nonsense phrase) and use random 12 digit hex numbers for ssh passwords, which I don't memorize because I've followed the above wiki link. I login to X only from the LAN, YMMV. Many people disable all remote X login, but I'm the only user on the LAN now.  Yes, I still use suid for X, but NOT with a password like 000

----------

## pietinger

I understand requests for a simple (user) password. I am paronoid for security ... AND ... my user password is short and poor; only my pw for root is strong. Why ?

I have no fear of an offline attack (no cleaning personal), so only an online attack could break my system. An (successful) attacker dont need my user pw because he gained already (at minimum) my user rights. He can damage my system only with the root account and therefore you need a strong pw for root (and a hardened kernel).

----------

## Tony0945

pietinger,

Those are good points. In my case, I'm set up to sudo without a password so my user password is as important as my root password.

EDIT:

I was used to UNIX in a corporate environment before Windows even existed, so I'm mindful of these things. Got to admit that on Windows at first I logged on without a password and with administrative rights.  Today I don't do that because my browser remembers passwords for banks and credit cards.  It's not just computer security at risk.

----------

## Ant P.

USE="-pam" and then you can set your password any way you like without it getting in the way. Don't run sshd with password access in either case.

----------

## pietinger

 *Tony0945 wrote:*   

> [...] In my case, I'm set up to sudo without a password so my user password is as important as my root password.

 

Tony,

this is a true reason ... and the reason why I dont like sudo and never use it; I do jobs as root only with "su -"

In my eyes, sudo is one of the greatest security risks because of the immediate root access through a simple user account (think what happens after a successful break into your system after browsing a bad website with your user account ...)

----------

## proteusx

Imagine a world where personal systems have no security whatsoever (e.g. no password login) and security is an option for those use their computer for bank transactions and those who want to prevent their wives to read their mistress' emails. 

Also, no compulsory cryptography,  no Spectre/Meltdown mitigations, no PIEs and no SSP canaries.

Security should be an opt-in, like systemd.  A meta package perhaps.

You may say I am a dreamer, am I the only one?

----------

## pietinger

 *proteusx wrote:*   

> Imagine a world where personal systems have no security [...]

 

Imagine a world where every house has an open front door ...

----------

## proteusx

 *pietinger wrote:*   

>  *proteusx wrote:*   Imagine a world where personal systems have no security [...] 
> 
> Imagine a world where every house has an open front door ...

 

Unlike today's houses with 100 padlocks on the front door but wide open back door.

----------

## pietinger

 *proteusx wrote:*   

> [...] but wide open back door.

 

Yes, you are right.

But only our secret agencies using computer back doors, and in these agencies we have only characterful people with good intentions ...

----------

## Marlo

 *devnull0000 wrote:*   

> nevermind, I found it
> 
> comment out with # the line from /etc/pam.d/system-auth
> 
> password       required        pam_passwdqc.so min=8,8,8,8,8 retry=3
> ...

 

thanks devnull0000,

your solution just saved me!

Thanks again

Ma

----------

## devnull0000

I'm glad I'm helped!

Update: In fresh gentoo, assuming you didn't do anything yet and dislike the long password:

-  there is /etc/security/passwdqc.conf file

- you can change "enforce" option from "everyone" to "none"

then weak passwords will work, the system merely will warn about them.

----------

## Carlos227

 *devnull0000 wrote:*   

> I'm glad I'm helped!
> 
> -  there is /etc/security/passwdqc.conf file
> 
> - you can change "enforce" option from "everyone" to "none"
> ...

 

Thanks, it has helped me a lot, I do not know what is the desire to force me to put a strong password, it should only show a warning as when changing the configuration to none.

In my case I just wanted to create a new account to try another user configuration and makes me waste my time, it is assumed that if I have at least gentoo running I understand the risk.

(by google translate)

----------

## Ant P.

 *proteusx wrote:*   

> Imagine a world where personal systems have no security whatsoever (e.g. no password login) and security is an option for those use their computer for bank transactions and those who want to prevent their wives to read their mistress' emails. 
> 
> Also, no compulsory cryptography,  no Spectre/Meltdown mitigations, no PIEs and no SSP canaries.
> 
> Security should be an opt-in, like systemd.  A meta package perhaps.
> ...

 

I, too, remember the utter horror show an internet-connected Windows 98 PC was.

----------

## Hu

Some types of security absolutely should not be opt-in, because the people who need that security do not know, or care to know, enough about computers to realize that they should opt in.  That is not to say the security should be mandatory.  Allowing an opt-out is fine in some cases, and some of those may currently make opting out more difficult than it needs to be.  Enabling such features by default, with the ability to disable them for people who know their use case does not need to be secured, is a safer default overall.

----------

## Blind_Sniper

I have  a very short password: 1 digit.

And never edited any passwd.conf or whatever else.

When passwd warns me about simple password, I just ignoring that warning and typing confirmation.

Thats all.

----------

## urcindalo

 *devnull0000 wrote:*   

> I'm glad I'm helped!
> 
> Update: In fresh gentoo, assuming you didn't do anything yet and dislike the long password:
> 
> -  there is /etc/security/passwdqc.conf file
> ...

 

You just made my day!

Thank you very much!

----------

## dbishop

An easier way to do this is to edit

/etc/security/passwdqc.conf

```
min=8,8,8,8,8

max=40

passphrase=0

match=4

similar=permit

random=24

enforce=none

retry=3

```

change enforce=everyone to either =users or =none

----------

## ShorTie

Ya, the PAM wiki is quite old and out of date on this.

Even states the page before it's like 10 years old, lol.

But heck, you can't even open a discussion about it for changes.

How nice, lol.

And does not mention a thing about using /etc/security/passwdqc.conf.

Guess you gotta read the news or sumfin

```
2020-06-23-upgrade-to-sys-libs_pam-1_4_0

  Title                     sys-libs/pam-1.4.0 upgrade

  Author                    Mikle Kolyada <zlogene@gentoo.org>

  Posted                    2020-06-23

  Revision                  1

Starting with the 1.4.0 release [1], we don't offer these modules anymore:

* pam_tally and pam_tally2 have been deprecated and replaced

  by the pam_faillock module

* pam_cracklib has been deprecated and replaced

  by the pam_passwdqc module

These changes affected our basic PAM stack configuration.
```

Digging thru the other OS's and the manual, I came up with.

```
min=disabled,2,2,2,2

max=40

passphrase=0

match=0

similar=permit

random=0

enforce=none

retry=3
```

Still get warning of,

Weak password: not enough different characters or classes.

But doesn't seem so pickey and allows more.

Ya, even in this day and age, forcing this stuff down your Throat seems Totalitarian to me.

Should be up to the person how carefully his/her picks thier pssswords.

They are the one that is gonna "Pay the Price" in the long run.

----------

## cameta

 *Quote:*   

>  enforce=none 

 

This works. After I have modified the password I have changed to enforce=everyone.

The security policies are in Gentoo for some reason.   :Wink: 

----------

## figueroa

Everyone should expect Gentoo to have sane defaults. Weak, lame passwords by default would be dumb.

----------

## eccerr0r

Thanks I was wondering about this, apparently this was part of the pam change that locked me out when pambase didn't get updated because of spidermonkey failing.  But anyway as I was setting up a new machine, I had been using password <redacted> for a while and it no longer meets the new requirements where it had before but no longer does because of <redacted>.  Perhaps there's a way to accept <redacted> but not allow dictionary or all numeric passwords? (appears not exactly, while all numeric passwords can be banned, there appears to be no more dictionary checks at least as it currently stands?)

Luckily despite being under constant openssh dictionary attacks, doesn't appear to be any successful connects, they haven't got the username correct yet either...

hmm...

setting 

```
enforce=users
```

 appears to allow root to choose bad passwords (with warning) but not allow regular users to be lax with passwords.  I'll probably just leave it like this...

----------

## metapsyborg

```
enforce=users
```

Thanks. I'm trying to create an account for a game server and this ridiculous password check was being a pita.

This policy of forcing a strong user password is foolish because it only gives an illusion of security; it seems more like someone checking a box on their security vulnerability checklist while leaving other gaping holes open. Anyone can just walk up to your computer and boot into an OS on a flash drive to read the hdd or take out the hard drive and read it from another machine and it's way easier than guessing your password. So, if you don't enforce home partition encryption then don't enforce bs "security" like password rules. Obviously a remote attack is not even possible because no default system is running sshd, and if you enable sshd then you will know what you are doing and give a white list of users and ips.

----------

## Tony0945

Anyone can just walk up to my computer?   No. First they have to break into my house.

----------

## ShadowCat8

 *Ant P. wrote:*   

> I, too, remember the utter horror show an internet-connected Windows 98 PC was.

 

LOL.    :Very Happy: 

You beat me to the punch, Ant!

----------

## Hu

 *metapsyborg wrote:*   

> I'm trying to create an account for a game server and this ridiculous password check was being a pita.

 If you're creating a faceless account, why bother setting a weak password at all?  Make the account locked with no password, or roll a long random password that you don't bother to remember or record, because the only users to ever run as that uid will get there via setuid, not via logging in. *metapsyborg wrote:*   

> Anyone can just walk up to your computer and boot into an OS on a flash drive to read the hdd or take out the hard drive and read it from another machine and it's way easier than guessing your password.

 Either of those require halting the current system, which is fairly noticeable.  For me, an unexpected drop in uptime would be a major red flag.

----------

## pjp

 *metapsyborg wrote:*   

> 
> 
> ```
> enforce=users
> ```
> ...

  Yikes. Security is not about ignoring vulnerabilities until you can solve all of them at once. Threat models are important as well. You know, the part where some organizations have been encrypting systems "at greater risk" (aka mobile) for many years.

Since your use case is the exception, it makes sense that you would need to make adjustments, not that every one else should make adjustments to accommodate your unusual circumstance. And similar to enabling ssh, if someone doesn't know any better and would prefer weak or even no passwords, then they should know what they are doing. Exposing an inexperienced person's system to a weak password by default is obviously the worse default. We can leave specifics about what it means for a password to be strong as a separate discussion.

Security also includes dealing with slow transfer of knowledge. And that transfer of knowledge only relatively recently informed everyone that long, hard to remember passwords were secure. As far as I know, there is no new "best practice" that enough people agree on to transfer new knowledge into a new common practice.

----------

## forrestfunk81

 *pjp wrote:*   

> 
> 
> We can leave specifics about what it means for a password to be strong as a separate discussion.
> 
> Security also includes dealing with slow transfer of knowledge. And that transfer of knowledge only relatively recently informed everyone that long, hard to remember passwords were secure. As far as I know, there is no new "best practice" that enough people agree on to transfer new knowledge into a new common practice.

 

We (the IT guys) trained everyone to use hard to remember and insecure / less-secure passwords (e.g. G3n%T0O#). Whereas more secure and easy to remember passwords have been frowned upon (e.g. gentooissupergreatandmayliveforever)

And we even made this mandatory and enforced it with password rules. Many of this silly rules are still in place, iirc also the enforcement of passwdqc does not allow a 35 lowercase letter password. This is absolutely ridiculous. 

https://xkcd.com/936/

----------

## Tickeldi

 *pjp wrote:*   

> Exposing an inexperienced person's system to a weak password by default is obviously the worse default.

 

Exchanging a users freedom of how exactly to use their machine for an increase in security is an arguable decision. Especially for this distribution. In my opinion, it should warn but not prevent you from setting it up however you please. This setting has been annoyingly hard to change.

Want to always accept all licenses when installing software? Bad idea, but if you really want to do it, you can do it easily.

You want to rm -rf / ? It's your call. You want to use dd to flash an iso to a usb stick? Better use the right drive letters.

Want to make every package bleeding edge and use -O3 for everything? Whatever floats your boat.

Want to use the name of your ex girlfriend as a password? No! NO! BAD USER! BAD!

----------

## Hu

 *Tickeldi wrote:*   

>  *pjp wrote:*   Exposing an inexperienced person's system to a weak password by default is obviously the worse default. 
> 
> Exchanging a users freedom of how exactly to use their machine for an increase in security is an arguable decision.

 An arguable one, but an argument that you are not likely to win, since the restriction can be changed readily enough.  Upstream ships with a preference for security.  This preference does not notably impede users who choose good passwords.  Personally, I hadn't even noticed this limitation, because my first choice satisfied the quality rules.

I could see an argument for changing the error message to more directly tell the administrator how to change this. *Tickeldi wrote:*   

> In my opinion, it should warn but not prevent you from setting it up however you please.

 Warn "you" the root user or "you" the unprivileged user?  On multi-user systems, these are different people.  The administrator should be given secure defaults, with the discretion to override them where needed.  When running a multi-user system with password authentication, I want to trust that, by default, my users are required to use quality passwords.  On a single user system with good physical security, I can see allowing root to override the rule, on the basis that root could go change the rule, so enforcing it does not appreciably increase security. *Tickeldi wrote:*   

> Want to always accept all licenses when installing software? Bad idea, but if you really want to do it, you can do it easily.

 This was historically not so easy.  It is easy now because autounmask was created to simplify making such changes. *Tickeldi wrote:*   

> You want to rm -rf / ? It's your call. You want to use dd to flash an iso to a usb stick? Better use the right drive letters.

 Neither of these commands enforces any sanity checks on input.  Once a sanity check exists at all, it ought to have sane rules.  I like having a sanity check on passwords. *Tickeldi wrote:*   

> Want to make every package bleeding edge and use -O3 for everything? Whatever floats your boat.

 Again, there is no specific sanity check here, so there are no default rules for it. *Tickeldi wrote:*   

> Want to use the name of your ex girlfriend as a password? No! NO! BAD USER! BAD!

 Let this be a lesson to you.  Only date women with names that satisfy the password complexity requirements.  This may require you to break up and find someone new if industry best practice about minimum quality changes.  Or it might require you to stay with the first woman you date who has a simple name, since you can never let her become your ex.

----------

## pietinger

 *Hu wrote:*   

> Let this be a lesson to you.  Only date women with names that satisfy the password complexity requirements. 

 

 :Laughing: 

Hu, you are the greatest and made my day ...   :Laughing: 

----------

## Tickeldi

My examples aimed to show that you're allowed to do a lot of dangerous stuff as a user even without a warning or sanity checks but when it comes to choosing a password you have to comply to strict rules someone chose for you. It's uncharacteristic for what my experience has been in this environment is what I wanted to say.

I guess it very much depends on your specific situation. If you're responsible for a multi user system, weak passwords chosen by one of the users will affect others because they jeopardize the security of the whole system by being an easy point of entry. So you'll be glad for the enforcement of rules like this. But if you're booting from the gentoo install media and want to ssh into it real quick from a physically connected machine next to the one you're installing to it's really annoying.

 *Hu wrote:*   

> I could see an argument for changing the error message to more directly tell the administrator how to change this.

 

That would be good enough I think. Because for me, the restriction couldn't be changed "readily enough". I needed longer than I'm comfortable admitting to circumvent it. It's why I'm here having this wonderful conversation.

 *Hu wrote:*   

> Warn "you" the root user or "you" the unprivileged user?

 

The root user. An unprivileged user can be made to authorize via anal probe for all I care.

 *Hu wrote:*   

> Let this be a lesson to you. Only date women with names that satisfy the password complexity requirements. This may require you to break up and find someone new if industry best practice about minimum quality changes. Or it might require you to stay with the first woman you date who has a simple name, since you can never let her become your ex.

 

That's the sole reason I've been trying to meet Russian women as most systems accept Cyrillic letters as special characters. Great people to break up with too.

 *Hu wrote:*   

>  Personally, I hadn't even noticed this limitation, because my first choice satisfied the quality rules.

 

Personally, I've been digging spike pits in my front yard and put an indiana jones sized boulder behind my front  door to ward of solicitors and get faster delivery people via evolutionary selection but I still feel that it's a good thing this has not as of yet become a mandatory standard practice for others.

----------

## pjp

 *forrestfunk81 wrote:*   

> We (the IT guys) trained everyone to use hard to remember and insecure / less-secure passwords

  I don't mean to cast aspersions, but I believe it was a decision based primarily on the Windows ecosystem with a rather significant blast radius. In general, it was a good thing to recognize that 'password', 'Password123', etc. shouldn't be used, but the cost was pretty high. And for seemingly little gain.

 *forrestfunk81 wrote:*   

> Many of this silly rules are still in place, iirc also the enforcement of passwdqc does not allow a 35 lowercase letter password. This is absolutely ridiculous.

  I agree, and that was partly the point of my comment. I had a short discussion with a Windows Admin about password policy and how someone had mathematically proven that easier alternatives to the random password with minimum character content requirements were no less secure. it was a short discussion not worth continuing; the individual wasn't willing to consider anything contradicting The Standard Way to Do It (unrelated to implementing any changes).

 *Tickeldi wrote:*   

> Exchanging a users freedom of how exactly to use their machine for an increase in security is an arguable decision. Especially for this distribution. In my opinion, it should warn but not prevent you from setting it up however you please. This setting has been annoyingly hard to change.

  I've not tried to make that change, so i can't comment on its difficulty. I thought I had read something indicating it seemed pretty simple, but again, haven't tried. As long as you recognize that my comment that you did quote specifically mentioned inexperienced users, then we'll just have to agree to disagree. I don't think it should be easy for someone who doesn't understand the implication of their decision to easily make it happen. I'm not saying it shouldn't be possible. However, for an experienced person, I think it should be possible and the default expectation that their unique situation be the one requiring extra effort.

 *Tickeldi wrote:*   

> Want to ...

  None of your examples are in my opinion remotely close to the password issue. The rm issue had been mitigated somewhere, but I don't recall where... maybe not Linux or GNU, but that isn't really a Linux issue. I personally favor the change of preventing it. For that, there are only two good solutions. Backups, which aren't likely to be frequent enough to catch all rm accidents, and an undelete mechanism.  While performing a lot of manual data manipulation, I managed to remove a small amount of files due to an errant 'cd'. Fortunately i was able to recreate the important files and live without the other 1 or 2. Anyone choosing 'bleeding edge' should by definition expect some blood. Hopefully at some point they learn and realize the error of their ways.

Those issues only result in a possible ideological conflict; missing data due to human error and not flossing the data you want to keep; and misguided enthusiasm. A weak password can have negative consequences beyond the local system in which the weak password was allowed.

On a related note, can a better secure password policy be implemented? Random, non-repeatable characters with a minimum representation of special characters is relatively easy to test.

----------

## pjp

 *Tickeldi wrote:*   

> My examples aimed to show that you're allowed to do a lot of dangerous stuff as a user even without a warning or sanity checks but when it comes to choosing a password you have to comply to strict rules someone chose for you. It's uncharacteristic for what my experience has been in this environment is what I wanted to say.

  Is the password policy one implemented by Gentoo, or is it an upstream decision? Gentoo generally follows upstream pretty closely. I don't have the knowledge of specific instances where they diverged and why. So this most likely isn't (directly) a Gentoo issue at all.

 *Tickeldi wrote:*   

> But if you're booting from the gentoo install media and want to ssh into it real quick from a physically connected machine next to the one you're installing to it's really annoying.

  I can remember being annoyed at similar issues, though not that specific one. I guess I've gotten used to it such that it isn't an issue any more. When I use boot media, I start sshd and either copy keys or create a user. If I'm installing, then I get a minimally installed system to boot and switch to that for the remainder of the install. I haven't seen an environment that didn't use passwords or network connectivity in a very long time, so I do have that "bias." Dealing with the initial change? Not fun. But a (relatively) long time ago.

----------

## Tickeldi

If anyone visits this discussion in search for a quick solution:

```
sed -i "s/enforce=everyone/enforce=none/g" /etc/security/passwdqc.conf
```

works for me.

----------

## lekto

My solution for this problem is running openssl passwd and pasting hash you get between first and second colon in /etc/shadow

----------

## figueroa

This thread seems to be deteriorating into unwise solutions.

----------

## vladimir1986

Thanks for the passwdqc tip!

enforce=none should be default. ffs, I am installing gentoo on a personal computer, not a bloody mainframe with access to nuclear missile launch codes. Last thing I need is to memorize 304 character passwords with multiple symbols and numbers.

----------

## Hu

As noted up thread, Gentoo normally propagates upstream's defaults.  If you don't like the default, contact the maintainers and present a reason to have it changed.  Posting here is unlikely to result in a change no matter how good an argument you present.

Having used passwords shorter than 100 characters, I think you are engaged in a bit of hyperbole to complain about needing 304 characters.  This does not bode well for your argument overall.  :Smile: 

----------

## vladimir1986

 *Hu wrote:*   

> As noted up thread, Gentoo normally propagates upstream's defaults.  If you don't like the default, contact the maintainers and present a reason to have it changed.  Posting here is unlikely to result in a change no matter how good an argument you present.
> 
> Having used passwords shorter than 100 characters, I think you are engaged in a bit of hyperbole to complain about needing 304 characters.  This does not bode well for your argument overall. 

 

I love exaggeration, but I was trying to make a point!

This is a bit of a sucky situation: Gentoo' s policy is to use upstream's policies. The passwd rules are actually good practice, so I don't think they should be relaxed, as they are tough off to work out of the box on environments which require higher security, which is good. 

However, Gentoo is not a distro which main goal is security (even if that can be strengthened and made very secure). It is a distro aimed for desktop usage.

Those stringent security measures, while they have a place for some cases, are extremely inconvenient and can cause problems for normal Desktop usage. I do think it is Gentoo' s duty to change the defaults (which are designed for a completely different usecase) at its best, or just mention how to relax the rules in the install handbook at a minimum. 

I only know that I used to be able to use passw with no problems, now I can't. Had to get a second device and find the solution on a random forum in order to be able to complete the installation. This is not very friendly.

Also, the solution of editing passwdqc with enforce=none is quite simple, but not documented anywhere (didn't even knew that file existed!). It should just take an one line mention in the install handbook! that will leave the decision of how much security the user will want to the same user's responsibility.

----------

## shimbob

 *figueroa wrote:*   

> This thread seems to be deteriorating into unwise solutions.

 

I went with USE=-passwdqc emerge -C passwdqc myself. This is for a portable game gizmo, though.

----------

