Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 29 Mar 2010 16:52:26 +0400
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com
Subject: [openwall-announce] passwdqc 1.2.1; C/R algorithms

Hi,

This is to announce two minor items at once:

1. passwdqc 1.2.1 is out:

http://www.openwall.com/passwdqc/

In this version, a password strength check has been adjusted to no
longer subject certain passwords that start with a digit and/or end with
a capital letter to an unintentionally stricter policy.

Those interested in more detail about this change may refer to the
verbose commit message and maybe the code changes here:

http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/passwdqc/passwdqc/passwdqc_check.c?only_with_tag=PASSWDQC_1_2_1

2. I've published a couple of enhanced challenge/response authentication
algorithms that I came up with while working on popa3d 10+ years ago:

http://openwall.info/wiki/people/solar/algorithms/challenge-response-authentication

The goal was to address the major drawback of existing simple C/R
schemes such as APOP and CRAM-MD5 (where these would require storage of
plaintext passwords or of plaintext-equivalents on the server, thereby
possibly making the setup less secure than it would be with simple
password authentication not involving C/R), yet not go all the way for
public-key crypto (stay simple).  This goal was achieved, although the
algorithms do have certain limitations.  They didn't fit in the existing
C/R exchanges supported in POP3 and in its existing extensions, hence
they never made it into popa3d.

Please feel free to reuse these.

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ