Date: Tue, 16 Mar 2010 18:24:48 +0300 From: Solar Designer <solar@...nwall.com> To: announce@...ts.openwall.com Subject: [openwall-announce] passwdqc 1.2.0, screenshots, policy considerations, passwdqc-users mailing list Hi, passwdqc, our proactive password/passphrase strength checking and policy enforcement toolset, has been enhanced in many ways, bringing it up to version 1.2.0: http://www.openwall.com/passwdqc/ The pwqcheck program is now directly usable as the passwordcheck program on OpenBSD - that is, to check users' passwords as they're set with the "passwd" program, much like it is done on systems with PAM. The man page for pwqcheck and the PLATFORMS file have been updated to provide brief instructions on setting this up: http://www.openwall.com/passwdqc/PLATFORMS.shtml pwqcheck is now also able to check multiple passwords/passphrases at once - e.g., for policy testing on large password/passphrase lists. Simply running "pwqcheck -1 --multi" reads passwords/passphrases to check from standard input (until EOF) and prints the check status for each. This functionality was in fact used on large publicly-available lists of cracked passwords to see/verify the effect of other changes made in this version of passwdqc (described below). The random passphrases offered by pam_passwdqc, pwqgen, as well as by the passwdqc_random() function in libpasswdqc, will now encode more entropy per separator character and per word, increasing their default size from 42 to 47 bits. The size of 42 bits was adequate to withstand not-too-powerful attacks against bcrypt hashes that we use on Owl, but it was inadequate with weaker hashes that many other systems use. (In fact, for the weakest hash types, such as those used by some "web apps", 47 bits is inadequate too, but we can't reasonably increase the default much further. Instead, those systems/programs should be fixed to use hashes that implement "password stretching".) Substring matching will now partially discount rather than fully remove weak substrings, support leetspeak, and detect some common sequences of characters (sequential digits, letters in alphabetical order, adjacent keys on a keyboard). The combined effect of these changes is that it should become slightly easier to come up with a password that would pass the requirements (there will be fewer spurious "based on a dictionary word" rejections), yet the percentage of likely-crackable passwords passing the checks should decrease. The passphrase strength checking code will now detect and allow passphrases with non-ASCII (8-bit) characters in the words. This should make it easier to use non-English passphrases. A number of optimizations have been implemented resulting in significant speedup of passwdqc_check() on real-world passwords. This matters for "pwqcheck --multi". RPM packages can now be built out of the distribution tarballs. This is briefly described in the INSTALL file: http://www.openwall.com/passwdqc/INSTALL.shtml We've setup a web page with screenshots demonstrating the uses and setup of passwdqc: http://www.openwall.com/passwdqc/screenshots and a wiki page with password strength policy considerations aimed at systems administrators deploying and configuring passwdqc: http://openwall.info/wiki/passwdqc/policy We have also setup the passwdqc-users mailing list. Please use it to share your experience with passwdqc and ask questions. The subscription instructions are found right on the passwdqc homepage: http://www.openwall.com/passwdqc/ Alexander P.S. Social bookmarking buttons have been added to most pages on the Openwall website, as well as on the Wiki. Please use these to add your favorite Openwall web pages to your favorite social websites.
Powered by blists - more mailing lists
Powered by Openwall GNU/*/Linux - Powered by OpenVZ