Sounds to me like _CrackLib_ is badly written.

The getpwuid((getuid() looks suspicious: multiple users could be
sharing the same uid.

There's also good historical precedent for a getpwent(_) that returns
a pointer to static storage.

Both Ultrix and SunOS 4.1 explicitly give a restriction that the
result of getpwen() is contained in a static area which is overwritten
by subsequent calls to getwpent() and friends.

POSIX and/or X.Open may disallow that now behaviour; I don't know.
But if your description is accurte, CrackLib would fail in the
way you've described on on those systems also.

One easy way to get getwpent() to DTRT is to have it malloc a
structure bigger than a struct passwd, put its struct passwd resulta
there, and keep its internal passwd-file state at the end.  Some
versions of the GNU/Linux libc seem to do this.  But then who frees
the malloc()'d memory?  (How fast can you say ``memory leak?'')