[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: pam_passwdqc wordlist .vs. cracklib word list

From: Solar Designer <solar openwall com>
To: pam-list redhat com
Subject: Re: pam_passwdqc wordlist .vs. cracklib word list
Date: Sun, 9 Jun 2002 07:32:07 +0400

On Sun, Jun 09, 2002 at 04:13:52AM +1000, Jenn Vesperman wrote:
> > On Fri, Jun 07, 2002 at 05:30:51PM +1000, John Warburton wrote:
> 
> > > My question is that cracklib has a huge dictionary & I can add to it. But,
> > > pam_passwdqc has a small dictionary in wordset_4k.c (it doesn't even have
> > > the word "snoopy" ;-) I don't feel as safe with pam_passwdqc as it has a
> > > small dictionary, yet Solar Designer really has it in for libcrack, and I
> > > respect Solar Designer's opinion. 
> 
> Why not use both? Stack them. Make the users pass both systems.

It's not such a good idea because:

1. One of the features of pam_passwdqc is its support for passphrases.
They may contain dictionary words, yet be strong enough.  Also using
CrackLib would defeat that.

2. Both pam_passwdqc and pam_cracklib support user interaction.  In
order to stack both modules, you'd have to disable user interaction in
one (which, at least for the case of pam_passwdqc, is supported).  The
disadvantage is that by doing so you disallow having multiple attempts
to enter a new password which would satisfy the module for which user
interaction has been disabled.  If a weak password is entered (by that
module's definition), pam_chauthtok() will immediately return failure.

-- 
/sd

References:
- pam_passwdqc wordlist .vs. cracklib word list
  - From: "John Warburton" <John.Warburton@asic.gov.au>
- Re: pam_passwdqc wordlist .vs. cracklib word list
  - From: Solar Designer <solar@openwall.com>
- Re: pam_passwdqc wordlist .vs. cracklib word list
  - From: Jenn Vesperman <jenn@anthill.echidna.id.au>

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index] []