[27026] in bugtraq
Re: Password Security Policy Question
daemon@ATHENA.MIT.EDU (Solar Designer)
Fri Sep 13 13:03:25 2002
Date: Fri, 13 Sep 2002 19:45:50 +0400
From: Solar Designer <solar@openwall.com>
To: Nick Lamb <njl98r@ecs.soton.ac.uk>
Message-ID: <20020913194550.A8485@openwall.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020913021223.A25622@ecs.soton.ac.uk>; from njl98r@ecs.soton.ac.uk on Fri, Sep 13, 2002 at 02:12:23AM +0100
On Fri, Sep 13, 2002 at 02:12:23AM +0100, Nick Lamb wrote:
> Sure enough I can't change my password to 'guess' or 'password' or
> '01234567' using either the GUI or the passwd program. It's not as
> friendly as Mozilla's "password goodness meter" but it will suffice.
Have you tried another string of 8 digits, more randomly-looking (but
obviously still very weak as all numeric-only passwords are)? That
used to bypass CrackLib alone (and John the Ripper has enjoyed cracking
many such passwords that have passed CrackLib checks), I don't know if
pam_cracklib has additional checks against that.
> Apparently there are moves afoot to replace or augment Cracklib with
> Solar Designer's pam_passwdqc in some future version of Red Hat Linux.
I haven't heard of that for Red Hat Linux in particular.
pam_passwdqc is currently used on several other Linux distributions
and it has recently been integrated into FreeBSD-current.
http://www.openwall.com/passwdqc/
pam_passwdqc is a simple password strength checking module for
PAM-aware password changing programs, such as passwd(1). In addition
to checking regular passwords, it offers support for passphrases and
can provide randomly generated passwords. All features are optional
and can be (re-)configured without rebuilding.
Currently supported are Linux (Linux-PAM), FreeBSD-current (OpenPAM),
Solaris, and HP-UX 11+.
--
/sd
