|
Message-ID: <20160722193127.GA10985@openwall.com> Date: Fri, 22 Jul 2016 22:31:27 +0300 From: Solar Designer <solar@...nwall.com> To: announce@...ts.openwall.com, passwdqc-users@...ts.openwall.com Subject: passwdqc 1.3.1; in Go, JS, Perl, PHP, Python, Ruby; for Windows Hi, This is to announce three passwdqc developments: 1. We've released passwdqc 1.3.1 yesterday: http://www.openwall.com/passwdqc/ This fixes a bug that Jim Paris reported to us via Debian on July 14: https://bugs.debian.org/831356 As it turns out, since passwdqc 1.1.3 in 2009 the rarely used "non-unix" option to pam_passwdqc was broken: when that option was enabled, pam_passwdqc would either segfault or potentially wrongly conclude that a password is based on the user's information (false positive detection of weak password). Under the hood, the problem was an uninitialized pointer in a struct passed from one source file to another. (Luckily, the pointed-to memory was only read from, not written to.) Being curious, I ran passwdqc 1.3.0 through Coverity and through a recent gcc 7 snapshot's UBSan (as well as ASan), and neither caught the bug, even though it is of the type I think these tools are meant to catch. I guess they don't work over translation unit boundaries yet. This 1.3.1 release was also subject to this kind of testing, as well as testing on the RockYou list and on plenty of /dev/urandom. There are a few other minor changes since 1.3.0 as well, but nothing that would (purposefully) change what passwords are accepted (and indeed there's no change on the RockYou test). See the changelog in passwdqc.spec for more detail. 2. Over the years, people and companies contributed ports of and derived reimplementations of functionality from passwdqc to other languages, as well as language bindings for passwdqc proper. The passwdqc homepage finally lists many more of these contributions than it did before, and there are local copies in the Openwall file archive: http://www.openwall.com/passwdqc/#contrib http://download.openwall.net/pub/projects/passwdqc/contrib/ Currently listed are Go bindings (by Dmitry Chestnykh), JavaScript port and its online demo (by Parallels, now Odin), Perl module in CPAN (by Sherwin Daganato), PHP_passwdqc_check (by Eric Helvey) and GenPhrase (by Timo H), Python package/egg reimplementing some algorithms from passwdqc (by Alastair Houghton), and Ruby gems ffi-passwdqc, pwqgen.rb, easy_passwords (by different authors). If you have made or are aware of more of these, please add them to: http://openwall.info/wiki/passwdqc#Ports-to-and-bindings-for-other-programming-languages and we'll eventually update the homepage and Openwall archive as well. 3. We've just released passwdqc for Windows: http://www.openwall.com/passwdqc/windows/ Given the target users/market for this (with expensive Windows Server installs, and compliance rather than security), it is a non-free derived version of the main passwdqc (which will remain free). Supported are both domain controllers and end-user systems. The product, once installed, registers with the system a password filter DLL, which is where the policy is enforced. Also included are three programs: Configuration, Change Password, and Reset Password - please see the screenshots. The latter two programs may be used to easily duplicate the domain controller's password policy on end-user systems, so that the users are informed of the specific reasons why their initial choice of new password may not have met policy. We're currently providing both 64- and 32-bit builds in the form of .msi packages (installers), and per our testing these should work on at least Server 2008 or Windows Vista through Server 2012 and Windows 10. Feedback is welcome on the passwdqc-users mailing list, or privately. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.