Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20181003112145.GA14820@openwall.com>
Date: Wed, 3 Oct 2018 13:21:45 +0200
From: Solar Designer <solar@...nwall.com>
To: passwdqc-users@...ts.openwall.com
Subject: Re: rules

Hi Tomas,

On Wed, Oct 03, 2018 at 10:52:54AM +0200, Tomas Hudik wrote:
> i have a newbie question - my   /etc/pam.d/common-password (ubuntu 18.04)
> has lines:
> 
> password        requisite      pam_passwdqc.so min=disabled,8,8,8,7
> passphrase=0
> password    [success=1 default=ignore]    pam_unix.so use_authtok obscure
> sha512
> 
> However, when I try:
> sudo passwd user
> 
> to change password to "1234567i" (which is 2 classes: numbers, lowercase
> and 8 characters)
> fails.
> Do you have why? Based on rules (min 8acharacters per 2 classes) should be
> fine

It probably tells you why.  Here's how to obtain the same behavior
without bothering with PAM yet, for testing:

$ echo 1234567i | pwqcheck -1 min=disabled,8,8,8,7 passphrase=0
Bad passphrase (based on a common sequence of characters and not a passphrase)

Here's how to disable the extra check to have that password accepted:

$ echo 1234567i | pwqcheck -1 min=disabled,8,8,8,7 passphrase=0 match=0
OK

So to achieve what you want, add match=0 to the line in
/etc/pam.d/common-password.

Testing the resulting somewhat weak policy on common passwords from
JtR's default password.lst gives these accepted common passwords:

$ grep -v '^#!comment:' /usr/share/john/password.lst | pwqcheck -1 --multi min=disabled,8,8,8,7 passphrase=0 match=0 | grep -n ^OK:
153:OK: asdfjkl;
233:OK: a1b2c3d4
731:OK: abcd1234
914:OK: jordan23
1218:OK: asdf1234
1309:OK: chris123
1453:OK: happy123
1467:OK: hello123
1704:OK: qwerty12
1921:OK: 1234qwer
1930:OK: apollo13
2037:OK: blink182
2040:OK: passw0rd
2044:OK: iloveyou!
2053:OK: 1q2w3e4r
2068:OK: 1qaz2wsx
2070:OK: monkey12
2072:OK: q1w2e3r4
2497:OK: ncc1701d
2530:OK: porsche911
2577:OK: ncc1701e
2841:OK: asdf;lkj
2964:OK: front242
3446:OK: good-luck
3453:OK: sample123
3486:OK: ChangeMe
3487:OK: Front242

Without the match=0 addition, it'd be only these 4:

$ grep -v '^#!comment:' /usr/share/john/password.lst | pwqcheck -1 --multi min=disabled,8,8,8,7 passphrase=0 | grep -n ^OK:
2044:OK: iloveyou!
2497:OK: ncc1701d
2530:OK: porsche911
2577:OK: ncc1701e
3446:OK: good-luck

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.