[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: md5 hashing on passwords?

> > My only concern with this function is that it would still treat (e.g) two
> > 128-character passwords with good randomization as too similar if they
> > contained the same set of characters.  Still, the proposed change is certainly
> > a far sight better than what we currently have, and I don't know of a simple
> > way to check if two passwords are too similar (or even a simple way to
> > /define/ if they're too similar), so I'm not going to worry too much about it.
> > :)
> What still concerns me is that a password like:
>  thequickbrownfoxjumpsoverthelazydog
> would be hard to replace, since this check would basically match most of
> any conventional replacment. Any ideas on that?

Here's what I am using in pam_passwdqc:

	match=N				[match=4]

The length of common substring required to conclude that a password is
at least partially based on information found in a character string,
or 0 to disable the substring search.  Note that the password will not
be rejected once a weak substring is found.  Instead, the password
will be subjected to the usual strength requirements with the weak
substring removed.

The substring search is case-insensitive and is able to detect and
remove a common substring spelled backwards.

	similar=permit|deny		[similar=deny]

Whether a new password is allowed to be similar to the old one.  The
passwords are considered to be similar when there's a sufficiently
long common substring and the new password with the substring removed
would be weak.

Solar Designer

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []