Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20260305092309.GA6708@openwall.com>
Date: Thu, 5 Mar 2026 10:23:09 +0100
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com, passwdqc-users@...ts.openwall.com
Subject: [openwall-announce] passwdqc 2.1.0

Hi,

This is to announce passwdqc 2.1.0, a new version of our password and
passphrase strength checking and enforcement tool set:

https://www.openwall.com/passwdqc/

Contributors to this release are:

$ git shortlog -sn v2.0.3..v2.1.0
    48  Solar Designer
    16  Dmitry V. Levin
     4  Zaiba Sanglikar
     2  Eero Häkkinen

I'd like to also thank CIQ for enabling me to work on this release at
this time.

Packages of this new release are already built for RHEL 8 and 9 alikes
in Rocky Linux SIG/Security and will be propagating to the download
mirrors shortly.  Equivalent packages are also already available in
CIQ's RLC Pro Hardened product, which uses pam_passwdqc by default.

Significant changes between 2.0.3 and 2.1.0 are as follows:

Add built-in generated common passwords list and a script to (re)generate it.
Specifically, we effectively include top 100k of HIBPv8 overlap with RockYou,
optimized to ~50k entries and compressed to under 200 KB as now embedded in
program binary.  With this and our default policy, we no longer accept anything
from current JtR jumbo default password.lst (1.8 million entries, where we'd
previously accept 0.1%), and we accept only under 0.03% from first 10 million
that the same JtR generates by default (previously 0.3%) - all while having
minimal impact on acceptance of stronger passwords (tested on those uncracked
in CMIYC 2010).  Add new rejection reason "based on a common password".

Optimize the fuzzy matching against wordlist entries such that it's fast enough
even with the larger default wordlist (or with external wordlists, which may be
larger yet).

Slightly expand the previously existing built-in English word list and common
character sequences list.  Importantly, these are used even when the above
newly added common passwords list is overridden with the wordlist= option to
use an external wordlist, so that basic checks of this sort continue to work
regardless of the external wordlist's quality.

Revise matching of wordlist entries against qualifying multi-word passphrases.
It is expected and allowed for such a passphrase to consist of words, so words
were not and still are not discounted, but if a wordlist entry matches a longer
than one word part of a passphrase, that part is now nevertheless discounted.

Revise matching of leetspeak to maintain intuitive behavior despite of the
change above (challenging because digits in leetspeak words look like word
separators), as well as to better reflect what's actually common and exclude
what is not.

Revise non-ASCII passphrase word counting logic: no longer require non-ASCII
words to be separated specifically by spaces, but allow any ASCII non-letters
as separators.

Simplify the default password policy by no longer allowing length 7.

Add Finnish translation of rejection reasons and pam_passwdqc messages.

In Makefile, pass certain default hardening flags to compiler and linker when
building for Linux, and let the package add more of them and/or override them.

Add tests, run them on "make check", run that from RPM spec %check.

Replace the bundled RPM spec with Fedora's, update it for this release.

Fix macOS and Solaris builds.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.