Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 8 Mar 2013 15:11:22 +0100
From: Eric Helvey <eric@...iances.org>
To: passwdqc-users@...ts.openwall.com
Subject: Pure PHP reimplementation of passwdqc_check.c

Good morning, all.

I've been chatting with solardiz over the last couple of days about a
PHP re-implementation of passwdqc_check.c that put together recently.
https://github.com/helver/PHP_passwdqc_check

As a way to test the accuracy of my efforts, I snagged the following file
as an example of passwords:

https://sites.google.com/site/reusablesec/Home/random/KoreLogic_Defcon2010.pot

I then stripped out the hashes, just leaving the plaintext passwords and
used that as input.  I ran both the C version and the PHP version of
passwdqc_check against the input as follows:

php test.php < inputlist > phpversion_ouput

pwqcheck -1 --multi match=4 max=40 passphrase=3 min=disabled,24,11,8,7 <
inputlist > cversion_ouput

diff cversion_output phpversion_output | grep -- "---" | wc -l  yielded 25.

I then cut the input list down to just that 25 and ended up with with
following:

swapdev@...pdev:~$ cat phpdiffs
Bad passphrase (not enough different characters or classes for this
length): 2010Walå
Bad passphrase (not enough different characters or classes for this
length): Aug2010
Bad passphrase (not enough different characters or classes for this
length): christ0ph3r
Bad passphrase (not enough different characters or classes for this
length): Christ0ph3r
Bad passphrase (not enough different characters or classes for this
length): dec2010
Bad passphrase (not enough different characters or classes for this
length): December01
Bad passphrase (not enough different characters or classes for this
length): february`
OK: february3M
Bad passphrase (not enough different characters or classes for this
length): february83
Bad passphrase (not enough different characters or classes for this
length): Gu111erm1na
Bad passphrase (not enough different characters or classes for this
length): gu!!!erm!na
Bad passphrase (not enough different characters or classes for this
length): January;@
Bad passphrase (not enough different characters or classes for this
length): March43
Bad passphrase (not enough different characters or classes for this
length): èMay2010
Bad passphrase (not enough different characters or classes for this
length): november17
Bad passphrase (not enough different characters or classes for this
length): r00tp4ssw0rd
OK: S4+URd@y+
Bad passphrase (not enough different characters or classes for this
length): çSep2010
Bad passphrase (not enough different characters or classes for this
length): september
Bad passphrase (not enough different characters or classes for this
length): SPRING2004
OK: thUr$d4Y`
OK: tHUr$dAyC
OK: W3DNeSD@Y
OK: weDNe$DAY#
OK: wEDNe$D@yT

swapdev@...pdev:~$ cat cdiffs
Bad passphrase (based on a common sequence of characters and not a
passphrase): 2010Walå
OK:  Aug2010
OK: christ0ph3r
OK: Christ0ph3r
Bad passphrase (based on a common sequence of characters and not a
passphrase):  dec2010
OK:  December01
Bad passphrase (not enough different characters or classes for this
length): february`
OK: february3M
OK:  february83
OK: Gu111erm1na
OK: gu!!!erm!na
Bad passphrase (not enough different characters or classes for this
length): January;@
Bad passphrase (based on a dictionary word and not a passphrase):  March43
Bad passphrase (based on a common sequence of characters and not a
passphrase): èMay2010
OK:  november17
OK: r00tp4ssw0rd
OK: S4+URd@y+
Bad passphrase (based on a common sequence of characters and not a
passphrase): çSep2010
Bad passphrase (not enough different characters or classes for this
length): september
OK:  SPRING2004
OK: thUr$d4Y`
OK: tHUr$dAyC
OK: W3DNeSD@Y
OK: weDNe$DAY#
OK: wEDNe$D@yT

I'm not particularly worried about the ones where both report OK - I figure
there's just some encoding differences going on as I'm generating output.
 Same thing with those cases where we both report the same error.  I can
also see that I'm not handling leading spaces in PHP the same way that the
C version is.  I can track that issue down.

So that leaves the following:

swapdev@...pdev:~$ cat phpdiffs
Bad passphrase (not enough different characters or classes for this
length): 2010Walå
Bad passphrase (not enough different characters or classes for this
length): christ0ph3r
Bad passphrase (not enough different characters or classes for this
length): Christ0ph3r
Bad passphrase (not enough different characters or classes for this
length): Gu111erm1na
Bad passphrase (not enough different characters or classes for this
length): gu!!!erm!na
Bad passphrase (not enough different characters or classes for this
length): èMay2010
Bad passphrase (not enough different characters or classes for this
length): r00tp4ssw0rd
Bad passphrase (not enough different characters or classes for this
length): çSep2010
swapdev@...pdev:~$ cat cdiffs
Bad passphrase (based on a common sequence of characters and not a
passphrase): 2010Walå
OK: christ0ph3r
OK: Christ0ph3r
OK: Gu111erm1na
OK: gu!!!erm!na
Bad passphrase (based on a common sequence of characters and not a
passphrase): èMay2010
OK: r00tp4ssw0rd
Bad passphrase (based on a common sequence of characters and not a
passphrase): çSep2010

Any insight would be appreciated.

ELH

Content of type "text/html" skipped

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ