Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 9 Jan 2015 16:23:15 +0300
From: Solar Designer <solar@...nwall.com>
To: passwdqc-users@...ts.openwall.com
Subject: Re: libpasswdqc usage

Hi Jaime,

On Fri, Jan 09, 2015 at 12:21:31PM +0100, Jaime Fern??ndez wrote:
> I'm testing libpasswdqc and libcrack2 to check passwords. I've a sample
> program with libcrack2 (the one included in the dist) but I dont find any
> example to know how to use libpasswdqc. Can you write a sample? Thanks in
> advance.

The included pwqcheck program also serves as the example you ask for: it
uses libpasswdqc.

In fact, I recommend that you simply use pwqcheck for your testing.
When invoked as "pwqcheck -1 --multi", it will read and test multiple
passwords at once (one per line).

Regarding testing of passwdqc vs. its "competitors", please take a look
at this presentation:

http://www.slideshare.net/antondedov5/zn2013-testing-of-password-policy-abridged

Also relevant is this test:

http://openwall.info/wiki/passwdqc/rockyou

I'd be curious to know how libcrack2 performs when tested in these ways.
(I wish Anton included it, but I guess CrackLib was deemed too ancient.)
I expect it will perform rather poorly.  Last time I checked, which I
admit was almost a decade ago, pam_cracklib as used by some Linux
distros would even permit many all-numeric passwords.  In fact, being
unsatisfied with CrackLib and pam_cracklib provided some of the motivation
for me to write pam_passwdqc in 2000, and it eventually turned into the
passwdqc package with the separate library and tools.  From a quick look
at http://soc.if.usp.br/manual/libcrack2/libcrack2.html it appears to be
merely a currently maintained version of the old CrackLib code.  But I
could be wrong.

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ