Whole document tree

cracklib2 - utilities

cracklib2 - utilities

cracklib2 is a library containing a C function which may be used in a passwd like program. The idea is simple: try to prevent users from choosing passwords that could be guessed by crack by filtering them out, at source. cracklib2 is not a replacement passwd program. cracklib2 is a library.

cracklib-runtime contains run-time support programs which use the shared library in cracklib2 including programs to build the password dictionary databases used by the functions in the shared library.


  1. General documentation on cracklib2.
  2. Debian cracklib2 utilities.
    1. Debian cracklib2 dictionary utilities.
      1. crack_mkdict
      2. crack_packer
      3. crack_unpacker
    2. Debian cracklib2 test utilities.
      1. crack_testlib
      2. crack_testnum
      3. crack_teststr
  3. Debian dictionaries.

Debian cracklib2 utilities

Debian cracklib2 dictionary utilities.


crack_mkdict file ...

crack_mkdict takes a list of ASCII files each containing a list of words, one per line, It lowercases all words, removes control characters, and sorts the lists. It outputs the cleaned up list to standard output.

If you supply massive amounts of text to crack_mkdict you must have enough free space available for use by the sort command. If you do not have 20Mb free in /var/tmp (or whatever temporary area your sort command uses), have a look at the /usr/sbin/crack_mkdict program which is a sh program. You can usually tweak the sort command to use any large area of disk you desire, by use of the -T option. crack_mkdict has a hook for this.


crack_packer cracklib_dictpath

crack_packer reads from standard input a list of sorted and cleaned words and creates a database in the directory and prefix given by the command line argument cracklib_dictpath. Three files are created with the suffixes of .hwm, .pwd, and .pwi. These three files are in the format that the FascistCheck subroutine, crack_unpacker, crack_testlib, crack_testnum, and crack_teststr utilities understand. The number of words read and written are printed on stdout.


crack_unpacker cracklib_dictpath

crack_unpacker reads from the database in the directory and prefix given by the command line argument cracklib_dictpath and outputs on standard output the list of words that make up the database.

Debian cracklib2 test utilities.

These are command line interactive utilities to test the installed cracklib dictionary. Each take one string or number per line. Enter ^C when done.



crack_testlib tests if the input string will be accepted as a valid password by the installed cracklib2dictionary using the FascistCheck subroutine.



crack_testnum tests if the input integer is an index to a word in the installed cracklib2 dictionary and returns the word if found.



crack_teststr tests if the input string is in the installed cracklib2 dictionary and returns its index number if found.

Debian dictionaries

cracklib2 uses a word database that is in a binary format generated by the utilities crack_mkdict and crack_packer. Three files are created with the suffixes of .hwm, .pwd, and .pwi. These files are not byte-order independent, in fact they are probably architecture specific, mostly due to speed constraints.

Compiled database location for cracklib test utilities.

The dictionary test utilities have the location of the dictionary database hard-coded into them. On a Debian system the database is located in the directory /var/cache/cracklib/cracklib_dict and is generated daily with the program /etc/cron.daily/cracklib. The location is also defined in the header file crack.h using the constant CRACKLIB_DICTPATH None of the subroutines in the cracklib libraries have this location hard-coded into their implementations.

Word lists for creating dictionary databases.

cracklib2 is only as good as the word dictionary database you create. Basically, you want to include any word that a malicious user could guess. It could include:

  • Names (including nicknames and user ids) of all users.
  • Names of pets, relatives, cars, ... of all users.
  • Computer, network, printer, ... names.
  • Insurance numbers, employee numbers, ... of users.
  • ...

Debian provides a number of word lists that can be used as sources for creating the cracklib2 dictionary database. The package wenglish provides a standard ASCII word list that can be directly used. The package ispell also supplies a large word list but it is in binary format. I haven't figured out how to decode this binary format so that the resulting word list can be used by cracklib2.

I plan to add the word list that comes with crack when I package it.

Here is a site that has dictionaries for a number of non English languages as well as names.

Copyright © 1998, 1999 Jean Pierre LeJacq
Distributed under the GNU GENERAL PUBLIC LICENSE.
last-modified: Wed, 3 Oct 2001 00:37:09 +0000