> > My only concern with this function is that it would still treat (e.g) two > > 128-character passwords with good randomization as too similar if they > > contained the same set of characters. Still, the proposed change is certainly > > a far sight better than what we currently have, and I don't know of a simple > > way to check if two passwords are too similar (or even a simple way to > > /define/ if they're too similar), so I'm not going to worry too much about it. > > :) > > What still concerns me is that a password like: > > thequickbrownfoxjumpsoverthelazydog > > would be hard to replace, since this check would basically match most of > any conventional replacment. Any ideas on that? Here's what I am using in pam_passwdqc: match=N [match=4] The length of common substring required to conclude that a password is at least partially based on information found in a character string, or 0 to disable the substring search. Note that the password will not be rejected once a weak substring is found. Instead, the password will be subjected to the usual strength requirements with the weak substring removed. The substring search is case-insensitive and is able to detect and remove a common substring spelled backwards. similar=permit|deny [similar=deny] Whether a new password is allowed to be similar to the old one. The passwords are considered to be similar when there's a sufficiently long common substring and the new password with the substring removed would be weak. Signed, Solar Designer
