[581] in Kerberos
password checking
daemon@TELECOM.MIT.EDU (mar@ATHENA.MIT.EDU)
Mon Jan 9 19:09:49 1989
From: mar@ATHENA.MIT.EDU
To: steiner@ATHENA.MIT.EDU
Cc: Saltzer@ATHENA.MIT.EDU, sms-dev@ATHENA.MIT.EDU, kerberos@ATHENA.MIT.EDU
In-Reply-To: Jennifer Steiner's message of Mon, 09 Jan 89 17:56:50 EST <8901092256.AA05120@BACH.MIT.EDU>
Having listened to the discussion I've started, I'd like to propose
that a library routine be written to do password quality checking. It
would take as input the /etc/password line or other available
information about the user concatenated together, the proposed
password, and previously used passwords/keys if available. It would
rate the password on a 1-10 scale, i.e.:
1: password is empty string or same as account name
2: password is trivially derivable from real name, etc.
3: password is on the "100 most common passwords" list
4: password contains only numbers
5: password is 4 characters or less
6: password is in the dictionary
7: password contains only letters
8: password is less than 8 characters
9: password has been used before
10: looks good to us!
Note that we don't currently have a way of distinguishing between
level 9 and level 10, but it is still a useful distinction to think
about. Perhaps a hook should be put into the new kerberos admin
protocol to compare a proposed key with old versions of a key. Level
2 checking is done by checking every substring in forward and reverse
order that is found in the /etc/passwd entry.
Each application can then decide how low of a quality it will accept.
For instance, register might accept level 7 or higher, complaining
about simpler ones but accepting one of level 4 or higher if the user
is insistent. Passwd and kchpass would probably want to be very
strict about root instance passwords.
-Mark
