Date: Tue, 28 Oct 2014 10:57:30 -0400 From: Dave Kalaluhi <dave.kalaluhimailinglists@...il.com> To: passwdqc-users@...ts.openwall.com Subject: Re: passwdqc min= and enforce= should be quick questions Thanks for the information Alexander! On Mon, Oct 27, 2014 at 5:10 PM, Solar Designer <solar@...nwall.com> wrote: > On Mon, Oct 27, 2014 at 04:18:23PM -0400, Dave Kalaluhi wrote: > > So on some newer systems we are using passwdqc via pam.d. > > > > The (not actual) settings are: > > min=5,5,5,5,5 similar=deny enforce=everyone > > > > Based on the man pages: with the above min settings, a password like > > passw should work. (unless I'm reading the man pages wrong). > > You're probably not reading descriptions of options that you're not > using. The match=N option by default (that is, when it is not > specified) implies additional checks: > > match=N > (default: match=4) The length of common substring required to > conclude that a password is at least partially based on > informa- > tion found in a character string, or 0 to disable the > substring > search. Note that the password will not be rejected once a > weak > substring is found; it will instead be subjected to the usual > strength requirements with the weak substring partially dis- > counted. > > The substring search is case-insensitive and is able to detect > and remove a common substring spelled backwards. > > Observe: > > $ echo passw | pwqcheck -1 min=5,5,5,5,5 > Bad passphrase (based on a dictionary word and not a passphrase) > $ echo passw | pwqcheck -1 min=5,5,5,5,5 match=0 > OK > > > pam/passwdqc doesn't allow that, and I'm assuming that's because of > > the enforce=everyone directive. > > No, the enforce=everyone option only affects for whom the policy is > enforced, whereas your question is about the policy itself (whether a > password is considered weak or not). > > > My question is, HOW passwdqc enforces passw is NOT a strong password. > > I assume you mean how it "infers" that, not how it "enforces" anything. > (As I mentioned above, enforcement is a separate thing.) > > It finds that "passw" has a 4-character common substring with the word > "pass", which is on its internal wordlist. The default for substring > matching is match=4, which means that a 4-character match is considered > long enough to trigger this behavior. The length of this substring is > then assumed to be one less than the minimum required for a match, thus > making it 3 characters, plus the "w" character. That's an effective > password length of 3 + 1 = 4, which is less than your minimum of 5. > The reported reason is nevertheless what originally caused this sort of > checking, "based on a dictionary word and not a passphrase". > > I strongly recommend that you don't alter passwdqc's default policy > unless you have a very important reason to do so. > > Alexander > Content of type "text/html" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.