OpenBSD Journal
Home : : Add Story : : Archives : : About : : Create Account : : Login :
Password Strength Checking
Contributed by jcr on Mon Jun 21 08:20:06 2010 (GMT)
from the slacking-editors dept.

Undeadly reader Alexander Peslyak (a.k.a. "Solar Designer") writes in with a note about his passwdqc password/passphrase strength checking and policy enforcement toolkit. Due to copious slacking by the undeadly editors, we're a bit late in getting this posted.

In April, I released version 1.2.0 of passwdqc. This version specifically improves support for OpenBSD, allowing for the pwqcheck program to be specified in OpenBSD's /etc/login.conf and invoked by the passwd(1) program. Previously, this was only supported via "unofficial" rework of older pam_passwdqc code by Damien Miller (djm@). Now it became official - immediately providing all improvements found in current and future versions of passwdqc (since OpenBSD support is to stay). Some recent improvements include fine-tuning of the checks on thousands of real-world cracked vs. presumed-strong passwords, support for 8-bit characters in passphrase words, and extra entropy encoded into randomly-generated passphrases. Not so recent improvements include separation of the "core" code into libpasswdqc, introduction of command-line programs (usable from scripts and now also by OpenBSD) and extra options to them, and making the PAM module optional (indeed, it's not built on OpenBSD, but is useful to have the same password policy elsewhere).

Long story short, to enable passwdqc on OpenBSD, build and install it, then insert the line ":passwordcheck=/usr/bin/pwqcheck -1:\" into the "default" section in /etc/login.conf. This will use passwdqc's default policy, which may be adjusted with additional command-line options (there's a man page documenting those).

Unfortunately, as of OpenBSD 4.6, there's no way to actually enforce the policy. If one enters a non-compliant password (or different ones) multiple times, passwd(1) will eventually give up and permit any password to be set. Hopefully, this shortcoming will get addressed in a later version.

Thank you Alexander for your work (and patience) on this.


<< HP Laptops Needed For ACPI Work | Reply | Flattened | Expanded | BSDTalk #192 - PF update with Henning Brauer and Peter Hansteen >>

Threshold: Help

Related Links
more by jcr

  Re: Password Strength Checking (mod -1/21)
by J.C. Roberts (jcr) ( on Sat Jun 26 19:48:13 2010 (GMT)
  Antti Harri (iku (AT) emailed me a diff which will change the default behavior. I haven't had a chance to check through the diff, but it can be found here:
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: Password Strength Checking (mod 0/0)
by mxffiles ( on Tue Feb 7 08:35:39 2017 (GMT)
  This is a very good post which I really enjoy reading. It is not every day that I have the possibility to see something like this. Software mxf Software mxf converter free download to convert HD camcorder files. ts converter convert ts video files to avi, mp4, wmv, mov mts to avi mp4 mov mkv iMovie, FCP/FCE with mts converter, so to convert mts files for your PC and mobiles. mod converter and convert tod files just free download mod video converter. m2ts
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

[ Home | Add Story | Archives | Polls | About ]

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. Some icons from used with permission from Kathleen. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. Search engine is ht://Dig. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]