OpenBSD Journal

Password Strength Checking

Contributed by jcr on from the slacking-editors dept.

Undeadly reader Alexander Peslyak (a.k.a. "Solar Designer") writes in with a note about his passwdqc password/passphrase strength checking and policy enforcement toolkit. Due to copious slacking by the undeadly editors, we're a bit late in getting this posted.

In April, I released version 1.2.0 of passwdqc. This version specifically improves support for OpenBSD, allowing for the pwqcheck program to be specified in OpenBSD's /etc/login.conf and invoked by the passwd(1) program. Previously, this was only supported via "unofficial" rework of older pam_passwdqc code by Damien Miller (djm@). Now it became official - immediately providing all improvements found in current and future versions of passwdqc (since OpenBSD support is to stay). Some recent improvements include fine-tuning of the checks on thousands of real-world cracked vs. presumed-strong passwords, support for 8-bit characters in passphrase words, and extra entropy encoded into randomly-generated passphrases. Not so recent improvements include separation of the "core" code into libpasswdqc, introduction of command-line programs (usable from scripts and now also by OpenBSD) and extra options to them, and making the PAM module optional (indeed, it's not built on OpenBSD, but is useful to have the same password policy elsewhere).

Long story short, to enable passwdqc on OpenBSD, build and install it, then insert the line ":passwordcheck=/usr/bin/pwqcheck -1:\" into the "default" section in /etc/login.conf. This will use passwdqc's default policy, which may be adjusted with additional command-line options (there's a man page documenting those).

Unfortunately, as of OpenBSD 4.6, there's no way to actually enforce the policy. If one enters a non-compliant password (or different ones) multiple times, passwd(1) will eventually give up and permit any password to be set. Hopefully, this shortcoming will get addressed in a later version.

Thank you Alexander for your work (and patience) on this.

(Comments are closed)


Comments
  1. By J.C. Roberts (jcr) jcroberts@designtools.org on http://www.designtools.org

    Antti Harri (iku (AT) openbsd.fi) emailed me a diff which will change the default behavior. I haven't had a chance to check through the diff, but it can be found here:
    http://openbsd.fi/iku/tmp/openbsd-src_usr_bin_passwd_local_passwd_c.diff

    Comments
    1. By Okan Demirmen (okan) on

      > Antti Harri (iku (AT) openbsd.fi) emailed me a diff which will change the default behavior. I haven't had a chance to check through the diff, but it can be found here:
      > http://openbsd.fi/iku/tmp/openbsd-src_usr_bin_passwd_local_passwd_c.diff

      set passwordtries=0 in /etc/login.conf (see the pwd_tries == 0 check).

      Besides being slightly incomplete, there is a comment in pwd_check.c that explains why the magic number is 3.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]