diff --git a/management/univention-management-console/conffiles/etc/pam.d/univention-management-console.d/80_password b/management/univention-management-console/conffiles/etc/pam.d/univention-management-console.d/80_password
index c9f6e47813..e3bad76ad6 100644
--- a/management/univention-management-console/conffiles/etc/pam.d/univention-management-console.d/80_password
+++ b/management/univention-management-console/conffiles/etc/pam.d/univention-management-console.d/80_password
@@ -1,3 +1,11 @@
-password requisite  pam_cracklib.so
-password sufficient pam_unix.so obscure use_first_pass use_authtok
-password required pam_krb5.so use_first_pass use_authtok force_pwchange
+@!@
+## Caution: The use_first_pass option for the second module in the stack
+##          requires that there is a module before it, otherwise UMC gets "Errorcode 20:"
+
+if configRegistry.get('password/quality/mspolicy') == 'sufficient':
+	print('password sufficient             pam_unix.so obscure use_authtok')
+else:
+	print('password requisite              pam_cracklib.so')
+	print('password sufficient             pam_unix.so obscure use_first_pass use_authtok')
+print('password required               pam_krb5.so use_first_pass use_authtok force_pwchange')
+@!@