Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 5 May 2013 09:57:07 -0400
From: javier wilson <javier.wilson@...il.com>
To: Solar Designer <solar@...nwall.com>
Cc: passwdqc-users@...ts.openwall.com
Subject: Re: option to use spanish words

Hi Alexander,

Thanks for the criticism, I will work on improving the code and the
licensing, of course.
I only use passwdqc to generate passwords so I did not notice I broke other
features, I will work on it.

I disagree when you say that English is more relevant for passwords even in
Spanish-speaking countries.
But you are right, if passwdqc becomes multilingual it should probably
check the chosen language + English.

Another major problem of my fork is that the list of words is poorly chosen
:(

Javier



2013/5/5 Solar Designer <solar@...nwall.com>

> Hi,
>
> On Fri, Apr 05, 2013 at 01:13:46PM -0300, javier wilson wrote:
> > i have changed the source a little bit to allow users to config language
> as
> > spanis and use a different list of words.
> > have  a look at https://github.com/javierwilson/passwdqc
>
> I just took a look.  Sorry it took me a month to get to this. :-(
>
> There's a major problem: the order of words in wordset_4k.es.c does not
> meet the requirements specified in the comment in wordset_4k.c, and also
> two "words" contain characters that are against the requirements
> specified in the same comment.  The code in passwdqc_check.c and/or
> passwdqc_random.c depends on these properties, which are now not met.
> This may result in runtime misbehavior, up to being a security weakness.
>
> More specifically, though, it looks like you got lucky, and generation
> of random passphrases is not impacted.  The only disallowed character
> seen in the words is a dot, and luckily the list of SEPARATORS does not
> include a dot.  The order of words is important to passwdqc_check.c, but
> not to passwdqc_random.c.  The code in passwdqc_check.c does depend on
> the words being purely-alphabetic, so your use of a dot in two of the
> words is problematic.
>
> So in practice you slightly broke the checking for weak passwords.
>
> You also did so by the very replacement of the wordlist from English to
> Spanish, because it is likely that even in Spanish-speaking countries
> English is more relevant for passwords.  I typically see more
> English-based than native language based passwords in leaked dumps from
> any country.  Maybe Spanish is some kind of an exception, though,
> because somehow there were more suggestions to add support for it to
> passwdqc than for any other language.  In fact, I had a revised version
> of passwdqc for Spanish contributed to me for redistribution, but
> unfortunately I never got around to doing that properly. :-(  So you
> were quicker to post one publicly.
>
> Besides functionality, another aspect is licensing.  I'd appreciate it
> if you add proper copyright and licensing statements to any files you
> modified or added.  As it is, your revision of passwdqc is not
> redistributable, and additionally it misattributes your bugs to me. ;-)
>
> Sorry for the criticism, and thanks,
>
> Alexander
>

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.