Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 5 May 2013 09:21:18 +0400
From: Solar Designer <solar@...nwall.com>
To: javier wilson <javier.wilson@...il.com>
Cc: passwdqc-users@...ts.openwall.com
Subject: Re: option to use spanish words

Hi,

On Fri, Apr 05, 2013 at 01:13:46PM -0300, javier wilson wrote:
> i have changed the source a little bit to allow users to config language as
> spanis and use a different list of words.
> have  a look at https://github.com/javierwilson/passwdqc

I just took a look.  Sorry it took me a month to get to this. :-(

There's a major problem: the order of words in wordset_4k.es.c does not
meet the requirements specified in the comment in wordset_4k.c, and also
two "words" contain characters that are against the requirements
specified in the same comment.  The code in passwdqc_check.c and/or
passwdqc_random.c depends on these properties, which are now not met.
This may result in runtime misbehavior, up to being a security weakness.

More specifically, though, it looks like you got lucky, and generation
of random passphrases is not impacted.  The only disallowed character
seen in the words is a dot, and luckily the list of SEPARATORS does not
include a dot.  The order of words is important to passwdqc_check.c, but
not to passwdqc_random.c.  The code in passwdqc_check.c does depend on
the words being purely-alphabetic, so your use of a dot in two of the
words is problematic.

So in practice you slightly broke the checking for weak passwords.

You also did so by the very replacement of the wordlist from English to
Spanish, because it is likely that even in Spanish-speaking countries
English is more relevant for passwords.  I typically see more
English-based than native language based passwords in leaked dumps from
any country.  Maybe Spanish is some kind of an exception, though,
because somehow there were more suggestions to add support for it to
passwdqc than for any other language.  In fact, I had a revised version
of passwdqc for Spanish contributed to me for redistribution, but
unfortunately I never got around to doing that properly. :-(  So you
were quicker to post one publicly.

Besides functionality, another aspect is licensing.  I'd appreciate it
if you add proper copyright and licensing statements to any files you
modified or added.  As it is, your revision of passwdqc is not
redistributable, and additionally it misattributes your bugs to me. ;-)

Sorry for the criticism, and thanks,

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.