My system is allowing me to authenticate with only 8, why?
max=N (max=40)
The maximum allowed password length. This can be used
to prevent users from setting passwords that may be too long for some
system services. The value 8 is treated specially: if max is set to 8,
passwords longer than 8 characters will not be rejected, but will be
truncated to 8 characters for the strength checks and the user will be
warned. This is to be used with the traditional DES-based password
hashes, which truncate the password at 8 characters.
It is important that you do set max=8 if you are using the traditional
hashes, or some weak passwords will pass the checks.
Source pam_passwdqc(8) - Linux man page
I see, is that configurable?
The following information is for SUSE. Other distros will have similar configuration files. You will have to figure this out yourself as you are "not using a standard distro".
The pam_pwcheck configuration file is located at
/etc/security/pam_pwcheck.conf
.
In this article we are going to force the user not to have a simple
password such as a dictionary word.
password: use_cracklib minlen=5 maxlen=10 tries=3 remeber=20
use_cracklib
This directive tells PAM to use the cracklib module.
minlen=10
This directive specifies the minimum number of alphanumeric characters allowed.
maxlen=10
This directive specifies the maximum number of alphanumeric characters allowed.
- `tries This directive specifies how many attempts the users is allowed before denying them to change their password. remember This
directive specifies how many passwords to remember so that the user
cannot use them passwords.
Source Setting password policies
Further reading