Date: Fri, 22 Jan 2021 14:50:17 +0100 From: Solar Designer <solar@...nwall.com> To: passwdqc-users@...ts.openwall.com Subject: Re: how to require use of specific character classes Hello James, On Thu, Jan 21, 2021 at 02:53:03PM -0500, James Dietrich wrote: > Suppose that a password policy requires that passwords include at least one each of lower-case letters, upper-case letters, and digits. How could one configure pam_passwdqc to implement this? With passwdqc, you can use this: min=disabled,disabled,disabled,8,8 or this: min=disabled,disabled,disabled,disabled,8 (or with any other minimum length in place of 8). These are not exactly the policy you describe, but they're more consistent policies. The former will allow use of special characters in lieu of any one of the 3 character classes you mentioned, which is generally a good thing for both security and user convenience. The latter will require 4 classes. > I had been using pam_cracklib for this, and accomblished the above with these options: > lcredit=-1 ucredit=-1 dcredit=-1 > Having recently learned of pam_cracklib's deprecation, I wanted to replace it with something else. I first tried pam_passwdqc, but could not figure out how to make it require that passwords include at least one each of lower-case letters, upper-case letters, and digits. So I ended up switching to pam_pwquality, which is backwards compatible with pam_cracklib. That works, but I'd still like to know if it's possible to accomplish the same thing with pam_passwdqc. There isn't currently a way to accomplish exactly the same. I understand this may be required to meet a pre-existing policy. We tried to keep passwdqc policies more reasonable so far, but maybe we need to add a clearly discouraged set of options intended for use for compliance rather than security in environments where the policy somehow cannot be changed. A minor complication is we'll also need to have pam_passwdqc describe such policies in its new password prompt, but maybe we need to provide yet another option to specify that description via an external text file. Then any inaccuracies in there wouldn't be our problem. ;-) Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.