[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: md5 hashing on passwords?

From: Steve Langasek <vorlon netexpress net>
To: pam-list redhat com
Subject: Re: md5 hashing on passwords?
Date: Tue, 26 Sep 2000 16:08:07 -0500 (CDT)

On Thu, 21 Sep 2000, Andrew Morgan wrote:

> OK, Andrew is changing his constraints.. I've had a chance to digest
> this function some more and think I now understand what it is supposed
> to be doing so here is the new constraint:

> [morgan@blighty test]$ ./verify.sh 
> similar looked at old=rho and new=alpharho, generating
>   msg='ok'
> similar looked at old=alpharho and new=rho, generating
>   msg=is too similar to the old one
> similar looked at old=alpha and new=alpharho, generating
>   msg=is too similar to the old one
> similar looked at old=alpha and new=rhoalpha, generating
>   msg=is too similar to the old one

> Note, the first one passes because the user is trying to keep their old
> password but adding at least as many new characters over those present
> in the first password. So on average, the new password contains more
> that is new than is old.

> ./verify.sh looks like this:
> -------
> #!/bin/sh
> ./verify_fn rho alpharho
> ./verify_fn alpharho rho
> ./verify_fn alpha alpharho
> ./verify_fn alpha rhoalpha
> -------

> (See my previous post for the code for 'verify_fn.c'.)

> My suggested replacement for 'similiar' is this:
> ----------
> static int similar(struct cracklib_options *opt,
> 		    const char *old, const char *new)
> {
>     int i, j;
> 
>     for (i = j = 0; old[i]; i++) {
> 	if (strchr (new, old[i])) {
> 	    j++;
> 	}
>     }
> 
>     if (((i-j) >= opt->diff_ok) || (strlen(new) >= (j * 2))) {
> 	/* passwords are not very similar */
> 	return 0;
>     }
> 
>     /* passwords are too similar */
>     return 1;
> }
> ----------

> If anyone wants to poke holes in this, please do. If I don't hear any
> complaints over the next week, I'll commit this change to the sources
> and it will be in 0.73.

My only concern with this function is that it would still treat (e.g) two
128-character passwords with good randomization as too similar if they
contained the same set of characters.  Still, the proposed change is certainly
a far sight better than what we currently have, and I don't know of a simple
way to check if two passwords are too similar (or even a simple way to
/define/ if they're too similar), so I'm not going to worry too much about it.
:)

Steve Langasek
postmodern programmer

Follow-Ups:
- Re: md5 hashing on passwords?
  - From: Andrew Morgan <morgan@transmeta.com>

References:
- Re: md5 hashing on passwords?
  - From: Andrew Morgan <morgan@transmeta.com>

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index] []