[ On Tuesday, September 10, 2002 at 20:51:24 (+0200), Roman Drahtmueller wrote: ] > Subject: Re: Password Security Policy Question > > To have a more satisfactory solution, you could make your system use > cracklib or similar to check the strength of a new password. It will be > bitching at you then. Since it seems "we" will be stuck with using normal passwords for authentication to unix systems for some time yet it had always amazed me that nobody has integrated cracklib into any of the free unix systems. So nearly two and a half years ago I did exactly that for NetBSD. http://www.netbsd.org/cgi-bin/query-pr-single.pl?number=10206 I'm still amazed that nothing has been done with my submitted patches since, not in NetBSD nor in any of the other free unix systems so far as I know. Of course if an attacker knows that the passwords on any given system are not easily guessable by cracklib using at minimum the default dictionaries then the search space is similarly reduced. However until someone produces a version of 'crack' or similar that can systematically test every password which 'crack' would normally _not_ test, I believe the bar has been raised. More to the point, since NetBSD has shadow passwords by default and thus offline cracking is much less likely, I believe that with these patches the chance an attacker can successfully guess a password at the telnet/login/sshd prompt before being detected (by automated daily failed login audits, for example) has been reduced, perhaps significantly. -- Greg A. Woods +1 416 218-0098; <g.a.woods@ieee.org>; <woods@robohack.ca> Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>
