|
Message-ID: <20130505052118.GA23001@openwall.com> Date: Sun, 5 May 2013 09:21:18 +0400 From: Solar Designer <solar@...nwall.com> To: javier wilson <javier.wilson@...il.com> Cc: passwdqc-users@...ts.openwall.com Subject: Re: option to use spanish words Hi, On Fri, Apr 05, 2013 at 01:13:46PM -0300, javier wilson wrote: > i have changed the source a little bit to allow users to config language as > spanis and use a different list of words. > have a look at https://github.com/javierwilson/passwdqc I just took a look. Sorry it took me a month to get to this. :-( There's a major problem: the order of words in wordset_4k.es.c does not meet the requirements specified in the comment in wordset_4k.c, and also two "words" contain characters that are against the requirements specified in the same comment. The code in passwdqc_check.c and/or passwdqc_random.c depends on these properties, which are now not met. This may result in runtime misbehavior, up to being a security weakness. More specifically, though, it looks like you got lucky, and generation of random passphrases is not impacted. The only disallowed character seen in the words is a dot, and luckily the list of SEPARATORS does not include a dot. The order of words is important to passwdqc_check.c, but not to passwdqc_random.c. The code in passwdqc_check.c does depend on the words being purely-alphabetic, so your use of a dot in two of the words is problematic. So in practice you slightly broke the checking for weak passwords. You also did so by the very replacement of the wordlist from English to Spanish, because it is likely that even in Spanish-speaking countries English is more relevant for passwords. I typically see more English-based than native language based passwords in leaked dumps from any country. Maybe Spanish is some kind of an exception, though, because somehow there were more suggestions to add support for it to passwdqc than for any other language. In fact, I had a revised version of passwdqc for Spanish contributed to me for redistribution, but unfortunately I never got around to doing that properly. :-( So you were quicker to post one publicly. Besides functionality, another aspect is licensing. I'd appreciate it if you add proper copyright and licensing statements to any files you modified or added. As it is, your revision of passwdqc is not redistributable, and additionally it misattributes your bugs to me. ;-) Sorry for the criticism, and thanks, Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.