[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: md5 hashing on passwords?



Kelli Wolfe wrote:
> 
> Thank you for the patch, Steve.  I'm going to get it compiled and
> tested with Andrew's constraints, however...

OK, Andrew is changing his constraints.. I've had a chance to digest
this function some more and think I now understand what it is supposed
to be doing so here is the new constraint:

[morgan@blighty test]$ ./verify.sh 
similar looked at old=rho and new=alpharho, generating
  msg='ok'
similar looked at old=alpharho and new=rho, generating
  msg=is too similar to the old one
similar looked at old=alpha and new=alpharho, generating
  msg=is too similar to the old one
similar looked at old=alpha and new=rhoalpha, generating
  msg=is too similar to the old one

Note, the first one passes because the user is trying to keep their old
password but adding at least as many new characters over those present
in the first password. So on average, the new password contains more
that is new than is old.

./verify.sh looks like this:
-------
#!/bin/sh
./verify_fn rho alpharho
./verify_fn alpharho rho
./verify_fn alpha alpharho
./verify_fn alpha rhoalpha
-------

(See my previous post for the code for 'verify_fn.c'.)

My suggested replacement for 'similiar' is this:
----------
static int similar(struct cracklib_options *opt,
		    const char *old, const char *new)
{
    int i, j;

    for (i = j = 0; old[i]; i++) {
	if (strchr (new, old[i])) {
	    j++;
	}
    }

    if (((i-j) >= opt->diff_ok) || (strlen(new) >= (j * 2))) {
	/* passwords are not very similar */
	return 0;
    }

    /* passwords are too similar */
    return 1;
}
----------

If anyone wants to poke holes in this, please do. If I don't hear any
complaints over the next week, I'll commit this change to the sources
and it will be in 0.73.

Cheers

Andrew





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []