[2672] in bugtraq
Re: Not so much a bug as a warning of new brute force attack
daemon@ATHENA.MIT.EDU (Steve Chew)
Tue Jun 4 18:36:18 1996
Date: Tue, 4 Jun 1996 12:05:24 -0400
Reply-To: schew@tis.com
From: Steve Chew <schew@tis.com>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <Pine.SUN.3.90.960604161655.6463F-100000@papaioea.manawatu.gen.nz> from "Alan Brown" at Jun 4,
96 04:21:17 pm
>
>> You can lead a user to a good password but you can only make them use it for
>> so long.
>
>What about a fascist passwd program which refers to a dictionary and
>rejects "easy" passwords? Does such an animal exist?
>
Yes, such a program does exist for UNIX. It's actually a library
called 'CrackLib' which can easily be compiled into a program to check for
'easy-to-guess' passwords. It checks the password against the local
dictionary as well as the user's personal info such as their real name
(as kept in the passwd file), and so on. I've used it and it seems to
work quite nicely. There may also be other similar programs.
Using archie, you can search for 'cracklib25' to find sites that
have it. Or you can get it via ftp from:
coombs.anu.edu.au in /pub/security/words/cracklib25.tar.Z
Steve
schew@tis.com
