Guidance using pam_passwdqc module and Army Regulation 25-2

Solar Designer solar at
Sat Aug 21 01:48:47 UTC 2004

On Fri, Aug 20, 2004 at 05:24:10PM +1200, William Brower wrote:
> This is re-opening an old thread (June 2004), but I now have 
> clarification on the language within the US Army Regulation 25-2 
> regarding required password strength.

I appreciate this, thanks.

> Given this requirement, would there be any consideration given by the 
> pam_passwdqc maintainers to modify the tool to help us enforce AR25-2 ?
> Specifically, pam_passwdqc would have to be able to require N characters 
> from a given character set, as opposed to 0 or 1 as it now does.

Yes, I'll consider this enhancement, although I find this requirement
of AR25-2 unreasonable.  But no promises yet.  I'd need to find some
"spare" time for this (unless your organization would be willing to
sponsor the next release of pam_passwdqc :-) ), I'd need to make a
determination of whether I do the minimum to satisfy the regulation or
whether I implement something more generic, and I'd need to come up
with a good name and syntax for the command-line option.


More information about the Pam-list mailing list