Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAEE6Ne19DWrvieYjbEdJPk+-XPzLw36HsiLCef7Yo8MFsGSWbw@mail.gmail.com>
Date: Wed, 3 Oct 2018 13:33:58 +0200
From: Tomas Hudik <xhudik@...il.com>
To: passwdqc-users@...ts.openwall.com
Subject: Re: rules

Hi Alex,

thanks for super-fast answer - yeah that makes sense and it solves the
problem!!!

On Wed, Oct 3, 2018 at 1:21 PM Solar Designer <solar@...nwall.com> wrote:

> Hi Tomas,
>
> On Wed, Oct 03, 2018 at 10:52:54AM +0200, Tomas Hudik wrote:
> > i have a newbie question - my   /etc/pam.d/common-password (ubuntu 18.04)
> > has lines:
> >
> > password        requisite      pam_passwdqc.so min=disabled,8,8,8,7
> > passphrase=0
> > password    [success=1 default=ignore]    pam_unix.so use_authtok obscure
> > sha512
> >
> > However, when I try:
> > sudo passwd user
> >
> > to change password to "1234567i" (which is 2 classes: numbers, lowercase
> > and 8 characters)
> > fails.
> > Do you have why? Based on rules (min 8acharacters per 2 classes) should
> be
> > fine
>
> It probably tells you why.  Here's how to obtain the same behavior
> without bothering with PAM yet, for testing:
>
> $ echo 1234567i | pwqcheck -1 min=disabled,8,8,8,7 passphrase=0
> Bad passphrase (based on a common sequence of characters and not a
> passphrase)
>
> Here's how to disable the extra check to have that password accepted:
>
> $ echo 1234567i | pwqcheck -1 min=disabled,8,8,8,7 passphrase=0 match=0
> OK
>
> So to achieve what you want, add match=0 to the line in
> /etc/pam.d/common-password.
>
> Testing the resulting somewhat weak policy on common passwords from
> JtR's default password.lst gives these accepted common passwords:
>
> $ grep -v '^#!comment:' /usr/share/john/password.lst | pwqcheck -1 --multi
> min=disabled,8,8,8,7 passphrase=0 match=0 | grep -n ^OK:
> 153:OK: asdfjkl;
> 233:OK: a1b2c3d4
> 731:OK: abcd1234
> 914:OK: jordan23
> 1218:OK: asdf1234
> 1309:OK: chris123
> 1453:OK: happy123
> 1467:OK: hello123
> 1704:OK: qwerty12
> 1921:OK: 1234qwer
> 1930:OK: apollo13
> 2037:OK: blink182
> 2040:OK: passw0rd
> 2044:OK: iloveyou!
> 2053:OK: 1q2w3e4r
> 2068:OK: 1qaz2wsx
> 2070:OK: monkey12
> 2072:OK: q1w2e3r4
> 2497:OK: ncc1701d
> 2530:OK: porsche911
> 2577:OK: ncc1701e
> 2841:OK: asdf;lkj
> 2964:OK: front242
> 3446:OK: good-luck
> 3453:OK: sample123
> 3486:OK: ChangeMe
> 3487:OK: Front242
>
> Without the match=0 addition, it'd be only these 4:
>
> $ grep -v '^#!comment:' /usr/share/john/password.lst | pwqcheck -1 --multi
> min=disabled,8,8,8,7 passphrase=0 | grep -n ^OK:
> 2044:OK: iloveyou!
> 2497:OK: ncc1701d
> 2530:OK: porsche911
> 2577:OK: ncc1701e
> 3446:OK: good-luck
>
> Alexander
>

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.