Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 22 Jul 2016 22:31:27 +0300
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com, passwdqc-users@...ts.openwall.com
Subject: [openwall-announce] passwdqc 1.3.1; in Go, JS, Perl, PHP, Python, Ruby; for Windows

Hi,

This is to announce three passwdqc developments:

1. We've released passwdqc 1.3.1 yesterday:

http://www.openwall.com/passwdqc/

This fixes a bug that Jim Paris reported to us via Debian on July 14:

https://bugs.debian.org/831356

As it turns out, since passwdqc 1.1.3 in 2009 the rarely used "non-unix"
option to pam_passwdqc was broken: when that option was enabled,
pam_passwdqc would either segfault or potentially wrongly conclude that
a password is based on the user's information (false positive detection
of weak password).

Under the hood, the problem was an uninitialized pointer in a struct
passed from one source file to another.  (Luckily, the pointed-to memory
was only read from, not written to.)  Being curious, I ran passwdqc
1.3.0 through Coverity and through a recent gcc 7 snapshot's UBSan (as
well as ASan), and neither caught the bug, even though it is of the type
I think these tools are meant to catch.  I guess they don't work over
translation unit boundaries yet.  This 1.3.1 release was also subject to
this kind of testing, as well as testing on the RockYou list and on
plenty of /dev/urandom.

There are a few other minor changes since 1.3.0 as well, but nothing
that would (purposefully) change what passwords are accepted (and indeed
there's no change on the RockYou test).  See the changelog in
passwdqc.spec for more detail.

2. Over the years, people and companies contributed ports of and derived
reimplementations of functionality from passwdqc to other languages, as
well as language bindings for passwdqc proper.  The passwdqc homepage
finally lists many more of these contributions than it did before, and
there are local copies in the Openwall file archive:

http://www.openwall.com/passwdqc/#contrib
http://download.openwall.net/pub/projects/passwdqc/contrib/

Currently listed are Go bindings (by Dmitry Chestnykh), JavaScript port
and its online demo (by Parallels, now Odin), Perl module in CPAN (by
Sherwin Daganato), PHP_passwdqc_check (by Eric Helvey) and GenPhrase (by
Timo H), Python package/egg reimplementing some algorithms from passwdqc
(by Alastair Houghton), and Ruby gems ffi-passwdqc, pwqgen.rb,
easy_passwords (by different authors).

If you have made or are aware of more of these, please add them to:

http://openwall.info/wiki/passwdqc#Ports-to-and-bindings-for-other-programming-languages

and we'll eventually update the homepage and Openwall archive as well.

3. We've just released passwdqc for Windows:

http://www.openwall.com/passwdqc/windows/

Given the target users/market for this (with expensive Windows Server
installs, and compliance rather than security), it is a non-free derived
version of the main passwdqc (which will remain free).

Supported are both domain controllers and end-user systems.  The
product, once installed, registers with the system a password filter
DLL, which is where the policy is enforced.  Also included are three
programs: Configuration, Change Password, and Reset Password - please
see the screenshots.  The latter two programs may be used to easily
duplicate the domain controller's password policy on end-user systems,
so that the users are informed of the specific reasons why their initial
choice of new password may not have met policy.

We're currently providing both 64- and 32-bit builds in the form of .msi
packages (installers), and per our testing these should work on at least
Server 2008 or Windows Vista through Server 2012 and Windows 10.

Feedback is welcome on the passwdqc-users mailing list, or privately.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.