[16200] in Kerberos_V5_Development
Re: Pasword quality pluggable interface project review
daemon@ATHENA.MIT.EDU (Russ Allbery)
Mon Aug 30 15:42:05 2010
From: Russ Allbery <rra@stanford.edu>
To: "krbdev\@mit.edu" <krbdev@mit.edu>
In-Reply-To: <20100830172641.GP1198@oracle.com> (Nicolas Williams's message of
"Mon, 30 Aug 2010 12:26:50 -0500")
Date: Mon, 30 Aug 2010 12:41:55 -0700
Message-ID: <8739tvnb0c.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Nicolas Williams <Nicolas.Williams@oracle.com> writes:
> - quality check requires more inputs:
> - the KDB entry, specifically, so the password quality module can
> check the user's password history
I wouldn't externalize this into a module, personally, due to the
instability in the KDB structures.
> (and maybe other things, such as user's languages, so that
> dictionary checks can be done for all the languages the user speaks)
That would be a very bad idea for a password quality check. To prevent a
password guessing attack, the language of the user is irrelevant. You
care about the language of the attacker, or rather, what dictionaries the
attacker has. Therefore, the only safe assumption is to assume that the
attacker will check all languages, and you should do the same thing.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
