passwdqc is a password/passphrase strength checking and policy enforcement toolset, including an optional PAM module (pam_passwdqc), command-line programs (pwqcheck, pwqfilter, and pwqgen), and a library (libpasswdqc).
On systems with PAM, pam_passwdqc is normally invoked on password changes by programs such as passwd(1). It is capable of checking password or passphrase strength, enforcing a policy, and offering randomly-generated passphrases, with all of these features being optional and easily (re-)configurable.
pwqcheck and pwqgen are standalone password/passphrase strength checking and random passphrase generator programs, respectively, which are usable from scripts. The pwqfilter program searches, creates, or updates binary passphrase filter files, which can also be used with pwqcheck and pam_passwdqc.
libpasswdqc is the underlying library, which can also be used from third-party programs.
You can view the latest INSTALL, README, PLATFORMS, CHANGES, and LICENSE files (which are also included in the archives below), as well as screenshots demonstrating the uses and setup of passwdqc on Openwall GNU/*/Linux. There's a wiki page with detailed Solaris-specific instructions and another one with password strength policy considerations (a must read before you possibly override passwdqc's defaults). There's also a tutorial on using the pwqcheck program from PHP scripts.
Download (release notes, previous release notes):
These and other versions of passwdqc, as well as local copies of the contributed resources below, are also available from the Openwall file archive. The source code of passwdqc can be browsed on GitHub.
Follow this link for information on verifying the signatures.
Purchase optional add-ons (and support the project):
This kind of checking of user-provided passwords against existing data breaches is recommended in the current NIST guidance, specifically in publication 800-63B sections 188.8.131.52 and A.3.
Please refer to the passwdqc for Windows homepage for purchase and licensing terms for the filters, and for a more detailed description of what's included. It's the same filter files, and we actually generate them on Linux. It's just that we prefer to keep this main passwdqc homepage focused on the free software project and not on our paid offerings.
There's a mailing list where you can share your experience with passwdqc and ask questions. Please be sure to specify an informative message subject whenever you post to the list (that is, something better than "question" or "problem"). To subscribe, enter your e-mail address below or send an empty message to <passwdqc-users-subscribe at lists.openwall.com>. You will be required to confirm your subscription by "replying" to the automated confirmation request that will be sent to you. You will be able to unsubscribe at any time and we will not use your e-mail address for any other purpose or share it with a third party. However, if you post to the list, other subscribers and those viewing the archives may see your address(es) as specified on your message. There is a web-based archive of the list.
We can help you integrate passwdqc into your OS installs, software, or online services. Please check out our services.
pam_passwdqc has been integrated into FreeBSD 5.0+ and DragonFly BSD 2.2+, and packaged for OpenBSD and NetBSD. It is used by default on Owl and distributions by ALT Linux team. Packages also exist in Fedora, Debian GNU/Linux, Ubuntu, OpenSUSE, Gentoo Linux, and PLD. Additionally, pam_passwdqc packages existed in Red Hat Enterprise Linux and CentOS versions 3 to 6.
passwdqc is a registered project with Open Hub.
You might want to check out these other PAM modules.