DICE passwords must
In addition, any new password must differ from the corresponding current password.
These standards are enforced at password creation/update time by the School's Kerberos Key Distribution Centre (KDC), as well as by the DICE PAM stack.
As well as checking for the above, the DICE PAM stack implements further
tests on any proposed new password using the cracklib library, and will
reject a password deemed too insecure. A summary of the cracklib tests follows;
for further information, refer to
First, the cracklib routine is called to check if the password is part of a dictionary; if this is not the case, the following additional set of strength checks is done:
- Is the new password a palindrome?
- Case change only
- Is the new password the the old one with only a change of case?
- Is the new password too much like the old one?
- Is the new password too simplistic/systematic?
- Is the new password a rotated version of the old password?
- Already used
- Was the password used in the past?
- Same consecutive characters
- Check for same consecutive characters.
- Contains user name
- Check whether the password contains the user's name in some form.
Informatics Forum, 10 Crichton Street, Edinburgh, EH8 9AB, Scotland, UK
Tel: +44 131 651 5661, Fax: +44 131 651 1426, E-mail: firstname.lastname@example.org
Please contact our webadmin with any comments or corrections. Logging and Cookies
Unless explicitly stated otherwise, all material is copyright © The University of Edinburgh