[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-users] password must be more complicated

From: Karl Berry
Subject: Re: [Savannah-users] password must be more complicated
Date: Tue, 7 May 2013 22:47:01 GMT

      $ echo Iephoo3i | pwqcheck -1 match=0 max=256 min=24,24,11,8,7
      Bad passphrase (not enough different characters or classes for this 

    That has three character classes, lower, upper, digits, and so
    should need N3=8 characters.  It is 8 characters long and so should
    meet the requirements.  But it doesn't.  

It is 8 characters long but not 8 *unique* characters -- o is repeated,
there are no repeated chars in ox8iChae.

Could that be the reason?  Just a wild guess.
(I think it is absurd that this password is rejected, BTW.)

      $ echo Iephoo3i | pwqcheck -1 match=0 max=256 min=24,8,8,8,8

    Does anyone see why the results are so crazy using pwqcheck?  Is this
    problem causing users grief?  

It is one of the problems, for sure.  Users put together 3 different
classes in their 8 chars (already a big pain), it fails, and since the
feedback as to why it fails is not specific, they just iterate randomly
and find one that works.  Very frustrating.  I've been frustrated by it

Is there a way to get pwqcheck to report more specifically why a pw is

    Taking a completely different approach...  Does anyone have a good
    method of checking and ensuring password strength?  The goal isn't to
    use pwqcheck but to try to avoid the too-weak password problem.

At one site I administered, I had a pwchange script which would try to
crack the proposed password for a few seconds.  (And for longer
overnight.)  That caught a lot of things -- the things which crackers
would be most likely to find -- without being much of a hassle.  (I
forget the crack script I used, it was whatever was commonly/publicly
available at the time.)  Clearly this would not replace the kinds of
checks that are being done now, though.

Nevertheless, I think our pw requirements are too strong.  In the sense
that sv makes requirements that no one else does.  Furthermore, getting
in to some sv user's web account is really not very interesting to
crackers -- the worst they could do is screw up the stuff for that
user's projects.  My experience is that cracks are directed at gaining
shell/root access.

Anyway ... can you make a proposal for the pwqcheck args to reduce the
pain, Bob?  I am not sure where we stand.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]