Bypassing BAD PASSWORD: contains the user name
This post covers how to work around the BAD PASSWORD: The password contains the user name in some form error that prevents you from setting the desired password on Linux (Ubuntu).
Weakening password policy is only appropriate for isolated test or development environments. Do not apply this change on production or internet-facing systems.
Environment: Ubuntu 20.04 / 22.04 / 24.04 (requires root)
[01] Situation
When setting a password with passwd on Linux, you may encounter this error:
1
2
3
4
5
Changing password for testuser.
Current password:
New password:
BAD PASSWORD: The password contains the user name in some form
New password:
The system rejects the new password because the PAM pwquality module detects that the password string resembles the username.
Typical scenario — test server:
| Item | Value |
|---|---|
| Username | testuser |
| Desired password |
testuser (or similar) |
| Error | BAD PASSWORD: The password contains the user name in some form |
This is intentional security behaviour in production, but on a local test server or CI environment it is an unnecessary obstacle.
[02] How the Check Works
Ubuntu’s password validation chain looks like this:
1
2
3
4
passwd command
└─► PAM stack (/etc/pam.d/common-password)
└─► pam_pwquality.so
└─► /etc/security/pwquality.conf ← policy lives here
The relevant PAM stack entry:
1
2
3
4
# /etc/pam.d/common-password (requires root to view)
# here are the per-package modules (the "Primary" block)
password requisite pam_pwquality.so retry=3
password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt
pam_pwquality.so reads its policy from /etc/security/pwquality.conf. One of those policy flags is usercheck, which controls whether the password is tested against the username.
[03] Disabling the Validation
3-1. Locate the Password Configuration File
Open the pwquality configuration file with a text editor (root required):
1
sudo nano /etc/security/pwquality.conf
Find the usercheck line (it may be commented out, defaulting to 1):
1
2
3
4
# /etc/security/pwquality.conf
# Whether to check if it contains the user name in some form.
# The check is enabled if the value is not 0.
# usercheck = 1
3-2. Change the Password Validation Setting
Set usercheck to 0 to disable the username-similarity check:
1
2
3
4
# /etc/security/pwquality.conf
# Whether to check if it contains the user name in some form.
# The check is enabled if the value is not 0.
usercheck = 0
Save and close the file. The change takes effect immediately — no service restart required.
3-3. Verify
Try setting the previously rejected password:
1
2
3
4
passwd testuser
# New password: testuser
# Retype new password: testuser
# passwd: password updated successfully
[04] Other Common pwquality Settings
While you have pwquality.conf open, here are other frequently adjusted settings for test environments:
| Setting | Default | Meaning |
|---|---|---|
minlen |
8 |
Minimum password length |
usercheck |
1 |
Reject passwords containing the username |
dictcheck |
1 |
Reject passwords found in a dictionary |
maxrepeat |
0 (disabled) |
Max consecutive identical characters |
minclass |
0 (disabled) |
Minimum number of character classes required |
To disable all quality checks for a test machine, set:
1
2
3
minlen = 1
usercheck = 0
dictcheck = 0
Reset these to defaults before promoting a test machine to any production role.
[05] Reverting the Change
To re-enable the username check, set usercheck back to 1 (or comment the line out to restore the default):
1
2
# /etc/security/pwquality.conf
usercheck = 1
