Re: [Savannah-users] password must contain multiple character classes...

[Ineiev]

Hello,

It looks like the relevant files are
frontend.sv.gnu.org:/var/www/savane/frontend/php/include/init.php
frontend.sv.gnu.org:/var/www/savane/frontend/php/include/account.php
(the repository being GIT of
http://savannah.gnu.org/projects/savane-cleanup).

Currently it uses default pwqcheck options to check the passwords
(max=40, min=disabled,24,11,8,7), which means that the message
in account.php (account_password_help) ("not too short,
must contain multiple character classes...") is not exact: it may
contain two character classes if its length is 24 or more;
I think this uncertainty could be adderessed if the help message
is modified like "long enough or containing multiple character
classes &c", with exact pwqcheck options displayed.

Now, I can see two specific suggestions about the checks in this
thread (a patch is attached):

(0) Allow single-class passwords if they are long enough.

    NIST Electronic Authentification Gudeline [0] suggests that
    22 characters long user-chosen password composed from 10-character
    alphabet has the same entropy as 7 characters long user-chosen
    extensively checked password, so it must be safe to replace
    "disabled" with "24".

(1) Allow longer passwords.

    I think 256 bytes should be sufficient: even if 3-byte UTF-8
    characters are used, it would be about 90 symbols, and it is hard
    to expect that longer passwords may be useful.

[0] http://csrc.nist.gov/publications/nistpubs/800-63-1/SP-800-63-1.pdf
    (Table A.1 on page 107)

diff --git a/frontend/php/include/account.php b/frontend/php/include/account.php
index f81635f..e757500 100644
--- a/frontend/php/include/account.php
+++ b/frontend/php/include/account.php
@@ -24,11 +24,13 @@
 require_once(dirname(__FILE__).'/pwqcheck.php');
 
 function account_password_help() {
-  global $use_pwqcheck;
-  $help = _("(not too short, must contain multiple character classes: symbols, 
digits (0-9), upper and lower case letters)");
+  global $use_pwqcheck, $pwqcheck_args;
+  $help = _("(long enough or containing multiple character classes: symbols, 
digits (0-9), upper and lower case letters)");
   if ($use_pwqcheck) {
     $pwqgen = exec("pwqgen");
-    $help .= " ".sprintf(_("(for instance: %s)"), htmlspecialchars($pwqgen));
+    $help .= " ".sprintf(_("(for instance: %s)."), htmlspecialchars($pwqgen));
+    $help .= " ".sprintf(_("pwqcheck options are: '%s'"),
+                         htmlspecialchars($pwqcheck_args));
   }
   return $help;
 }
diff --git a/frontend/php/include/init.php b/frontend/php/include/init.php
index 7b17312..3e7ab80 100644
--- a/frontend/php/include/init.php
+++ b/frontend/php/include/init.php
@@ -88,9 +88,17 @@ $sys_debug_sqlprofiler = false;
 // Do we have the pwqcheck(1) program from the passwdqc package?
 $use_pwqcheck = TRUE;
 // We can override the default password policy
-$pwqcheck_args = '';
-#$pwqcheck_args = 'config=/etc/passwdqc.conf';
-
+// max=40 is overridden because some users want longer passwords.
+// min=default,24,11,8,7 is overridden for N0 passwords
+// (the passwords consisting of characters from single class)
+// because NIST Electronic Authentification Gudeline
+// (Special Publication 800-63-1, Table A.1 on page 107
+//  http://csrc.nist.gov/publications/nistpubs/800-63-1/SP-800-63-1.pdf)
+// suggests that user-chosen 7 characters long password passing extensive
+// checks has 27 bits of entropy, the same as 22 characters long
+// user-chosen password composed from 10-character alphabet with no checks
+// implied, so we can safely admit any 24 characters long passwords.
+$pwqcheck_args = 'max=256 min=24,24,11,8,7';
 
 # autoconf-based:
 require_once(dirname(__FILE__).'/ac_config.php');