Skip to content

Extra package: passwdqc

EL9

  • Version 2.1.0-1.el9_7.security

EL8

  • Version 2.1.0-1.el8_10.security

Package summary

passwdqc is a password/passphrase strength checking and policy enforcement toolset, including a PAM module (pam_passwdqc), command-line programs (pwqcheck, pwqfilter, and pwqgen), and a library (libpasswdqc).

More information is available on the passwdqc homepage and in the documentation files (man pages and a README) included in the sub-packages below.

Usage in Rocky Linux

This RPM packaging of passwdqc is common with Fedora and the upstream passwdqc project.

There are 5 sub-packages:

pam_passwdqc

pam_passwdqc is a PAM module that is normally invoked on password changes by programs such as passwd(1). It is capable of checking password or passphrase strength, enforcing a policy, and offering randomly-generated passphrases, with all of these features being optional and easily (re-)configurable.

Merely installing this sub-package does not yet configure the system to use the PAM module. To do so, on EL9 use our control, or on either EL8 or EL9 you may edit PAM configuration files manually e.g. like shown here.

passwdqc-utils

pwqcheck and pwqgen are standalone password/passphrase strength checking and random passphrase generator programs, respectively, which are usable from scripts.

The pwqfilter program searches, creates, or updates binary passphrase filter files, which can also be used with pwqcheck and pam_passwdqc. This can be used for checking of user-provided passwords against existing data breaches, which is recommended in the current NIST guidance, specifically in publication 800-63B sections 5.1.1.2 and A.3. Paid pre-generated filter files are available from Openwall at the project homepage above, but with this tool you can also generate your own.

libpasswdqc

libpasswdqc is the underlying library, which may also be used from third-party programs.

libpasswdqc-devel

This package contains development files needed for building passwdqc-aware applications, as well as documentation (man pages) for developing such applications.

passwdqc

passwdqc is a meta sub-package that installs (via dependencies) the actual sub-packages above, except for libpasswdqc-devel.

Change log

* Mon Mar 02 2026 Solar Designer <solar@openwall.com> 2.1.0-1
- Update to 2.1.0
- Run "make check" from %%check

* Fri Jan 31 2025 Solar Designer <solar@openwall.com> 2.0.3-2.2
- Pass -pie -Wl,-z,defs -Wl,-z,relro -Wl,-z,now and RPM_OPT_FLAGS to LDFLAGS

The actual RPM %changelog is different since the spec file is kept in sync with Fedora, so logs of our older changes may be omitted, whereas Fedora's are present.

Significant changes between 2.0.3 and 2.1.0

Add built-in generated common passwords list and a script to (re)generate it. Specifically, we effectively include top 100k of HIBPv8 overlap with RockYou, optimized to ~50k entries and compressed to under 200 KB as now embedded in program binary. With this and our default policy, we no longer accept anything from current JtR jumbo default password.lst (1.8 million entries, where we'd previously accept 0.1%), and we accept only under 0.03% from first 10 million that the same JtR generates by default (previously 0.3%) - all while having minimal impact on acceptance of stronger passwords (tested on those uncracked in CMIYC 2010). Add new rejection reason "based on a common password".

Optimize the fuzzy matching against wordlist entries such that it's fast enough even with the larger default wordlist (or with external wordlists, which may be larger yet).

Slightly expand the previously existing built-in English word list and common character sequences list. Importantly, these are used even when the above newly added common passwords list is overridden with the wordlist= option to use an external wordlist, so that basic checks of this sort continue to work regardless of the external wordlist's quality.

Revise matching of wordlist entries against qualifying multi-word passphrases. It is expected and allowed for such a passphrase to consist of words, so words were not and still are not discounted, but if a wordlist entry matches a longer than one word part of a passphrase, that part is now nevertheless discounted.

Revise matching of leetspeak to maintain intuitive behavior despite of the change above (challenging because digits in leetspeak words look like word separators), as well as to better reflect what's actually common and exclude what is not.

Revise non-ASCII passphrase word counting logic: no longer require non-ASCII words to be separated specifically by spaces, but allow any ASCII non-letters as separators.

Simplify the default password policy by no longer allowing length 7.

Add Finnish translation of rejection reasons and pam_passwdqc messages.

In Makefile, pass certain default hardening flags to compiler and linker when building for Linux, and let the package add more of them and/or override them.

Add tests, run them on "make check", run that from RPM spec %check.

Replace the bundled RPM spec with Fedora's, update it for this release.