linux如何知道新密碼與舊密碼相似？

如果您曾經收到一條訊息說您的新密碼與舊密碼太相似，那麼您可能會好奇您的Linux系統是如何“知道”它們太相似的。今天的超級使用者問答帖子為好奇的讀者提供了一個“魔法帷幕”背後的一瞥。...

如果您曾經收到一條訊息說您的新密碼與舊密碼太相似，那麼您可能會好奇您的Linux系統是如何“知道”它們太相似的。今天的超級使用者問答帖子為好奇的讀者提供了一個“魔法帷幕”背後的一瞥。

今天的問答環節是由SuperUser提供的，SuperUser是Stack Exchange的一個分支，是一個由社群驅動的問答網站分組。

螢幕截圖由marc falardeau（Flickr）提供。

問題

超級使用者讀者LeNoob想知道Linux系統如何“知道”密碼彼此太相似：

I tried to change a user password on various Linux machines a few times and when the new password was much like the old one, the operating system said that they were too similar.

I have always wondered, how does the operating system know this? I thought passwords were saved as a hash. Does this mean that when the system is able to compare the new password for similarity to the old one that it is actually saved as plain text?

Linux系統如何“知道”密碼彼此太相似？

答案

超級使用者貢獻者slhck為我們提供了答案：

Since you need to supply both the old and new passwords when using passwd, they can be easily compared in plain text.

Your password is indeed hashed when it is finally stored, but until that happens, the tool where you are entering your password can just access it directly.

This is a feature of the PAM system which is used in the background of the passwd tool. PAM is used by modern Linux distributi***. More specifically, pam_cracklib is a module for PAM that allows it to reject passwords based on similarities and weaknesses.

It is not just passwords which are too similar that can be c***idered insecure. The source code has various examples of what can be checked, such as whether a password is a palindrome or what the edit distance is between two words. The idea is to make passwords more resistant against dictionary attacks.

See the pam_cracklib manpage for more information.

請務必透過下面連結的主題執行緒，在SuperUser上通讀其餘的生動討論。

有什麼要補充的解釋嗎？在評論中發出聲音。想從其他精通技術的Stack Exchange使用者那裡瞭解更多答案嗎？在這裡檢視完整的討論主題。