Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 5 May 2013 09:57:07 -0400
From: javier wilson <javier.wilson@...il.com>
To: Solar Designer <solar@...nwall.com>
Cc: passwdqc-users@...ts.openwall.com
Subject: Re: option to use spanish words

Hi Alexander,

Thanks for the criticism, I will work on improving the code and the
licensing, of course.
I only use passwdqc to generate passwords so I did not notice I broke other
features, I will work on it.

I disagree when you say that English is more relevant for passwords even in
Spanish-speaking countries.
But you are right, if passwdqc becomes multilingual it should probably
check the chosen language + English.

Another major problem of my fork is that the list of words is poorly chosen
:(

Javier



2013/5/5 Solar Designer <solar@...nwall.com>

> Hi,
>
> On Fri, Apr 05, 2013 at 01:13:46PM -0300, javier wilson wrote:
> > i have changed the source a little bit to allow users to config language
> as
> > spanis and use a different list of words.
> > have  a look at https://github.com/javierwilson/passwdqc
>
> I just took a look.  Sorry it took me a month to get to this. :-(
>
> There's a major problem: the order of words in wordset_4k.es.c does not
> meet the requirements specified in the comment in wordset_4k.c, and also
> two "words" contain characters that are against the requirements
> specified in the same comment.  The code in passwdqc_check.c and/or
> passwdqc_random.c depends on these properties, which are now not met.
> This may result in runtime misbehavior, up to being a security weakness.
>
> More specifically, though, it looks like you got lucky, and generation
> of random passphrases is not impacted.  The only disallowed character
> seen in the words is a dot, and luckily the list of SEPARATORS does not
> include a dot.  The order of words is important to passwdqc_check.c, but
> not to passwdqc_random.c.  The code in passwdqc_check.c does depend on
> the words being purely-alphabetic, so your use of a dot in two of the
> words is problematic.
>
> So in practice you slightly broke the checking for weak passwords.
>
> You also did so by the very replacement of the wordlist from English to
> Spanish, because it is likely that even in Spanish-speaking countries
> English is more relevant for passwords.  I typically see more
> English-based than native language based passwords in leaked dumps from
> any country.  Maybe Spanish is some kind of an exception, though,
> because somehow there were more suggestions to add support for it to
> passwdqc than for any other language.  In fact, I had a revised version
> of passwdqc for Spanish contributed to me for redistribution, but
> unfortunately I never got around to doing that properly. :-(  So you
> were quicker to post one publicly.
>
> Besides functionality, another aspect is licensing.  I'd appreciate it
> if you add proper copyright and licensing statements to any files you
> modified or added.  As it is, your revision of passwdqc is not
> redistributable, and additionally it misattributes your bugs to me. ;-)
>
> Sorry for the criticism, and thanks,
>
> Alexander
>

[ CONTENT OF TYPE text/html SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ