如果您曾经收到一条消息说您的新密码与旧密码太相似，那么您可能会好奇您的Linux系统是如何“知道”它们太相似的。今天的超级用户问答帖子为好奇的读者提供了一个“魔法帷幕”背后的一瞥。

今天的问答环节是由SuperUser提供的，SuperUser是Stack Exchange的一个分支，是一个由社区驱动的问答网站分组。

屏幕截图由marc falardeau（Flickr）提供。

问题

超级用户读者LeNoob想知道Linux系统如何“知道”密码彼此太相似：

I tried to change a user password on various Linux machines a few times and when the new password was much like the old one, the operating system said that they were too similar.

I have always wondered, how does the operating system know this? I thought passwords were saved as a hash. Does this mean that when the system is able to compare the new password for similarity to the old one that it is actually saved as plain text?

Linux系统如何“知道”密码彼此太相似？

答案

超级用户贡献者slhck为我们提供了答案：

Since you need to supply both the old and new passwords when using passwd, they can be easily compared in plain text.

Your password is indeed hashed when it is finally stored, but until that happens, the tool where you are entering your password can just access it directly.

This is a feature of the PAM system which is used in the background of the passwd tool. PAM is used by modern Linux distributi***. More specifically, pam_cracklib is a module for PAM that allows it to reject passwords based on similarities and weaknesses.

It is not just passwords which are too similar that can be c***idered insecure. The source code has various examples of what can be checked, such as whether a password is a palindrome or what the edit distance is between two words. The idea is to make passwords more resistant against dictionary attacks.

See the pam_cracklib manpage for more information.

请务必通过下面链接的主题线程，在SuperUser上通读其余的生动讨论。

有什么要补充的解释吗？在评论中发出声音。想从其他精通技术的Stack Exchange用户那里了解更多答案吗？在这里查看完整的讨论主题。