Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 16 Mar 2010 18:24:48 +0300
From: Solar Designer <>
Subject: [openwall-announce] passwdqc 1.2.0, screenshots, policy considerations, passwdqc-users mailing list


passwdqc, our proactive password/passphrase strength checking and policy
enforcement toolset, has been enhanced in many ways, bringing it up to
version 1.2.0:

The pwqcheck program is now directly usable as the passwordcheck program
on OpenBSD - that is, to check users' passwords as they're set with the
"passwd" program, much like it is done on systems with PAM.  The man page
for pwqcheck and the PLATFORMS file have been updated to provide brief
instructions on setting this up:

pwqcheck is now also able to check multiple passwords/passphrases at
once - e.g., for policy testing on large password/passphrase lists.
Simply running "pwqcheck -1 --multi" reads passwords/passphrases to
check from standard input (until EOF) and prints the check status for
each.  This functionality was in fact used on large publicly-available
lists of cracked passwords to see/verify the effect of other changes
made in this version of passwdqc (described below).

The random passphrases offered by pam_passwdqc, pwqgen, as well as by
the passwdqc_random() function in libpasswdqc, will now encode more
entropy per separator character and per word, increasing their default
size from 42 to 47 bits.  The size of 42 bits was adequate to withstand
not-too-powerful attacks against bcrypt hashes that we use on Owl, but
it was inadequate with weaker hashes that many other systems use.  (In
fact, for the weakest hash types, such as those used by some "web apps",
47 bits is inadequate too, but we can't reasonably increase the default
much further.  Instead, those systems/programs should be fixed to use
hashes that implement "password stretching".)

Substring matching will now partially discount rather than fully remove
weak substrings, support leetspeak, and detect some common sequences of
characters (sequential digits, letters in alphabetical order, adjacent
keys on a keyboard).  The combined effect of these changes is that it
should become slightly easier to come up with a password that would pass
the requirements (there will be fewer spurious "based on a dictionary
word" rejections), yet the percentage of likely-crackable passwords
passing the checks should decrease.

The passphrase strength checking code will now detect and allow
passphrases with non-ASCII (8-bit) characters in the words.  This should
make it easier to use non-English passphrases.

A number of optimizations have been implemented resulting in significant
speedup of passwdqc_check() on real-world passwords.  This matters for
"pwqcheck --multi".

RPM packages can now be built out of the distribution tarballs.  This is
briefly described in the INSTALL file:

We've setup a web page with screenshots demonstrating the uses and setup
of passwdqc:

and a wiki page with password strength policy considerations aimed at
systems administrators deploying and configuring passwdqc:

We have also setup the passwdqc-users mailing list.  Please use it to
share your experience with passwdqc and ask questions.  The subscription
instructions are found right on the passwdqc homepage:


P.S. Social bookmarking buttons have been added to most pages on the
Openwall website, as well as on the Wiki.  Please use these to add your
favorite Openwall web pages to your favorite social websites.

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ