DICE passwords must

where the recognised five character classes are

In addition, any new password must differ from the corresponding current password.

These standards are enforced at password creation/update time by the School's Kerberos Key Distribution Centre (KDC), as well as by the DICE PAM stack.

As well as checking for the above, the DICE PAM stack implements further tests on any proposed new password using the cracklib library, and will reject a password deemed too insecure. A summary of the cracklib tests follows; for further information, refer to man pam_cracklib.

First, the cracklib routine is called to check if the password is part of a dictionary; if this is not the case, the following additional set of strength checks is done:
Is the new password a palindrome?
Case change only
Is the new password the the old one with only a change of case?
Is the new password too much like the old one?
Is the new password too simplistic/systematic?
Is the new password a rotated version of the old password?
Already used
Was the password used in the past?
Same consecutive characters
Check for same consecutive characters.
Contains user name
Check whether the password contains the user's name in some form.

Home : Systems : Policies 

Informatics Forum, 10 Crichton Street, Edinburgh, EH8 9AB, Scotland, UK
Tel: +44 131 651 5661, Fax: +44 131 651 1426, E-mail:
Please contact our webadmin with any comments or corrections. Logging and Cookies
Unless explicitly stated otherwise, all material is copyright © The University of Edinburgh