On Sun, Jun 09, 2002 at 04:13:52AM +1000, Jenn Vesperman wrote: > > On Fri, Jun 07, 2002 at 05:30:51PM +1000, John Warburton wrote: > > > > My question is that cracklib has a huge dictionary & I can add to it. But, > > > pam_passwdqc has a small dictionary in wordset_4k.c (it doesn't even have > > > the word "snoopy" ;-) I don't feel as safe with pam_passwdqc as it has a > > > small dictionary, yet Solar Designer really has it in for libcrack, and I > > > respect Solar Designer's opinion. > > Why not use both? Stack them. Make the users pass both systems. It's not such a good idea because: 1. One of the features of pam_passwdqc is its support for passphrases. They may contain dictionary words, yet be strong enough. Also using CrackLib would defeat that. 2. Both pam_passwdqc and pam_cracklib support user interaction. In order to stack both modules, you'd have to disable user interaction in one (which, at least for the case of pam_passwdqc, is supported). The disadvantage is that by doing so you disallow having multiple attempts to enter a new password which would satisfy the module for which user interaction has been disabled. If a weak password is entered (by that module's definition), pam_chauthtok() will immediately return failure. -- /sd
