Linux uses a variety of methods to determine whether a new password is similar to the old one. One method is to compare the two passwords. If they are similar, Linux will use the same algorithm to generate the new password.


If you have ever received a message that your new password is too similar to your old one, then you may be curious as to how your Linux system ‘knows’ they are too much alike. Today’s SuperUser Q&A post provides a peek behind the ‘magic curtain’ at what is going on for a curious reader.

Today’s Question & Answer session comes to us courtesy of SuperUser—a subdivision of Stack Exchange, a community-driven grouping of Q&A web sites.

Screenshot courtesy of marc falardeau (Flickr).

The Question

SuperUser reader LeNoob wants to know how a Linux system ‘knows’ that passwords are too similar to each other:

How does a Linux system ‘know’ that passwords are too similar to each other?

I have always wondered, how does the operating system know this? I thought passwords were saved as a hash. Does this mean that when the system is able to compare the new password for similarity to the old one that it is actually saved as plain text?

The Answer

SuperUser contributor slhck has the answer for us:

Make sure to read through the rest of the lively discussion over at SuperUser via the topic thread linked below.

Your password is indeed hashed when it is finally stored, but until that happens, the tool where you are entering your password can just access it directly.

This is a feature of the PAM system which is used in the background of the passwd tool. PAM is used by modern Linux distributions. More specifically, pam_cracklib is a module for PAM that allows it to reject passwords based on similarities and weaknesses.

It is not just passwords which are too similar that can be considered insecure. The source code has various examples of what can be checked, such as whether a password is a palindrome or what the edit distance is between two words. The idea is to make passwords more resistant against dictionary attacks.

See the pam_cracklib manpage for more information.

Have something to add to the explanation? Sound off in the comments. Want to read more answers from other tech-savvy Stack Exchange users? Check out the full discussion thread here.