If you take ever received a message that your new password is besides similar to your sometime one, then you may be curious as to how your Linux system 'knows' they are too much alike. Today'due south SuperUser Q&A post provides a peek behind the 'magic drapery' at what is going on for a curious reader.

Today's Question & Answer session comes to the states courtesy of SuperUser—a subdivision of Stack Substitution, a community-driven group of Q&A web sites.

Screenshot courtesy of marc falardeau (Flickr).

The Question

SuperUser reader LeNoob wants to know how a Linux system 'knows' that passwords are also similar to each other:

I tried to change a user countersign on various Linux machines a few times and when the new countersign was much like the erstwhile one, the operating organisation said that they were too similar.

I accept always wondered, how does the operating system know this? I thought passwords were saved every bit a hash. Does this hateful that when the system is able to compare the new countersign for similarity to the old one that information technology is actually saved as plain text?

How does a Linux system 'know' that passwords are too similar to each other?

The Reply

SuperUser contributor slhck has the reply for u.s.:

Since yous need to supply both the onetime and new passwords when using passwd, they can be easily compared in plain text.

Your password is indeed hashed when information technology is finally stored, simply until that happens, the tool where you are inbound your countersign tin just access information technology direct.

This is a feature of the PAM organisation which is used in the background of the passwd tool. PAM is used by modern Linux distributions. More specifically, pam_cracklib is a module for PAM that allows it to reject passwords based on similarities and weaknesses.

It is non just passwords which are too similar that can be considered insecure. The source code has diverse examples of what tin be checked, such every bit whether a countersign is a palindrome or what the edit distance is between two words. The thought is to make passwords more resistant against dictionary attacks.

Meet the pam_cracklib manpage for more than data.

Brand sure to read through the rest of the lively word over at SuperUser via the topic thread linked below.

Have something to add to the explanation? Audio off in the comments. Want to read more answers from other tech-savvy Stack Exchange users? Cheque out the full discussion thread hither.

The above article may contain affiliate links, which help support How-To Geek.