Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 5 May 2013 09:21:18 +0400
From: Solar Designer <solar@...nwall.com>
To: javier wilson <javier.wilson@...il.com>
Cc: passwdqc-users@...ts.openwall.com
Subject: Re: option to use spanish words

Hi,

On Fri, Apr 05, 2013 at 01:13:46PM -0300, javier wilson wrote:
> i have changed the source a little bit to allow users to config language as
> spanis and use a different list of words.
> have  a look at https://github.com/javierwilson/passwdqc

I just took a look.  Sorry it took me a month to get to this. :-(

There's a major problem: the order of words in wordset_4k.es.c does not
meet the requirements specified in the comment in wordset_4k.c, and also
two "words" contain characters that are against the requirements
specified in the same comment.  The code in passwdqc_check.c and/or
passwdqc_random.c depends on these properties, which are now not met.
This may result in runtime misbehavior, up to being a security weakness.

More specifically, though, it looks like you got lucky, and generation
of random passphrases is not impacted.  The only disallowed character
seen in the words is a dot, and luckily the list of SEPARATORS does not
include a dot.  The order of words is important to passwdqc_check.c, but
not to passwdqc_random.c.  The code in passwdqc_check.c does depend on
the words being purely-alphabetic, so your use of a dot in two of the
words is problematic.

So in practice you slightly broke the checking for weak passwords.

You also did so by the very replacement of the wordlist from English to
Spanish, because it is likely that even in Spanish-speaking countries
English is more relevant for passwords.  I typically see more
English-based than native language based passwords in leaked dumps from
any country.  Maybe Spanish is some kind of an exception, though,
because somehow there were more suggestions to add support for it to
passwdqc than for any other language.  In fact, I had a revised version
of passwdqc for Spanish contributed to me for redistribution, but
unfortunately I never got around to doing that properly. :-(  So you
were quicker to post one publicly.

Besides functionality, another aspect is licensing.  I'd appreciate it
if you add proper copyright and licensing statements to any files you
modified or added.  As it is, your revision of passwdqc is not
redistributable, and additionally it misattributes your bugs to me. ;-)

Sorry for the criticism, and thanks,

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ