Date: Sun, 5 May 2013 09:57:07 -0400 From: javier wilson <javier.wilson@...il.com> To: Solar Designer <solar@...nwall.com> Cc: passwdqc-users@...ts.openwall.com Subject: Re: option to use spanish words Hi Alexander, Thanks for the criticism, I will work on improving the code and the licensing, of course. I only use passwdqc to generate passwords so I did not notice I broke other features, I will work on it. I disagree when you say that English is more relevant for passwords even in Spanish-speaking countries. But you are right, if passwdqc becomes multilingual it should probably check the chosen language + English. Another major problem of my fork is that the list of words is poorly chosen :( Javier 2013/5/5 Solar Designer <solar@...nwall.com> > Hi, > > On Fri, Apr 05, 2013 at 01:13:46PM -0300, javier wilson wrote: > > i have changed the source a little bit to allow users to config language > as > > spanis and use a different list of words. > > have a look at https://github.com/javierwilson/passwdqc > > I just took a look. Sorry it took me a month to get to this. :-( > > There's a major problem: the order of words in wordset_4k.es.c does not > meet the requirements specified in the comment in wordset_4k.c, and also > two "words" contain characters that are against the requirements > specified in the same comment. The code in passwdqc_check.c and/or > passwdqc_random.c depends on these properties, which are now not met. > This may result in runtime misbehavior, up to being a security weakness. > > More specifically, though, it looks like you got lucky, and generation > of random passphrases is not impacted. The only disallowed character > seen in the words is a dot, and luckily the list of SEPARATORS does not > include a dot. The order of words is important to passwdqc_check.c, but > not to passwdqc_random.c. The code in passwdqc_check.c does depend on > the words being purely-alphabetic, so your use of a dot in two of the > words is problematic. > > So in practice you slightly broke the checking for weak passwords. > > You also did so by the very replacement of the wordlist from English to > Spanish, because it is likely that even in Spanish-speaking countries > English is more relevant for passwords. I typically see more > English-based than native language based passwords in leaked dumps from > any country. Maybe Spanish is some kind of an exception, though, > because somehow there were more suggestions to add support for it to > passwdqc than for any other language. In fact, I had a revised version > of passwdqc for Spanish contributed to me for redistribution, but > unfortunately I never got around to doing that properly. :-( So you > were quicker to post one publicly. > > Besides functionality, another aspect is licensing. I'd appreciate it > if you add proper copyright and licensing statements to any files you > modified or added. As it is, your revision of passwdqc is not > redistributable, and additionally it misattributes your bugs to me. ;-) > > Sorry for the criticism, and thanks, > > Alexander > Content of type "text/html" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.