Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 22 Jan 2021 14:50:17 +0100
From: Solar Designer <solar@...nwall.com>
To: passwdqc-users@...ts.openwall.com
Subject: Re: how to require use of specific character classes

Hello James,

On Thu, Jan 21, 2021 at 02:53:03PM -0500, James Dietrich wrote:
> Suppose that a password policy requires that passwords include at least one each of lower-case letters, upper-case letters, and digits. How could one configure pam_passwdqc to implement this?

With passwdqc, you can use this:

min=disabled,disabled,disabled,8,8

or this:

min=disabled,disabled,disabled,disabled,8

(or with any other minimum length in place of 8).  These are not exactly
the policy you describe, but they're more consistent policies.  The
former will allow use of special characters in lieu of any one of the 3
character classes you mentioned, which is generally a good thing for
both security and user convenience.  The latter will require 4 classes.

> I had been using pam_cracklib for this, and accomblished the above with these options:
> lcredit=-1 ucredit=-1 dcredit=-1
> Having recently learned of pam_cracklib's deprecation, I wanted to replace it with something else. I first tried pam_passwdqc, but could not figure out how to make it require that passwords include at least one each of lower-case letters, upper-case letters, and digits. So I ended up switching to pam_pwquality, which is backwards compatible with pam_cracklib. That works, but I'd still like to know if it's possible to accomplish the same thing with pam_passwdqc.

There isn't currently a way to accomplish exactly the same.

I understand this may be required to meet a pre-existing policy.  We
tried to keep passwdqc policies more reasonable so far, but maybe we
need to add a clearly discouraged set of options intended for use for
compliance rather than security in environments where the policy somehow
cannot be changed.  A minor complication is we'll also need to have
pam_passwdqc describe such policies in its new password prompt, but
maybe we need to provide yet another option to specify that description
via an external text file.  Then any inaccuracies in there wouldn't be
our problem. ;-)

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.