Displaying Password Policy before Password Change

On a multi-user system, one may not trust users to choose strong passwords. Thus, one can setup up a password policy. On linux systems using PAM, this can be done with pam_cracklib.

While pam_cracklib does an excellent job, with many options, it does not have an option to display the current password policy to the user prior to a password change. Indeed, this could be tedious because of the localization.

Displaying the policy is crucial, especially for users with expired passwords that must change them upon logging, because they can’t have access to the system to learn the policy before changing their passwords. This often results in frustrated users trying to “discover” the policy by trials and errors.

Sadly, most sysadmins I met forget to display that policy, or just do not know how to do it.

One response is to use pam_echo. This module displays on screen the content of a file and it can do so in all four PAM phases (account, auth, password, and session). With pam_echo, system administrators can just write down in the natural language of their users what the password policy is, and display it using a well-positioned call to pam_echo.

For instance, on my debian system, I edited /etc/pam.d/common-password and I added just before the line about pam_unix:

password optional pam_echo.so file=/etc/password_policy