Re: password cracking question

From: Unruh (unruh-spam_at_physics.ubc.ca)
Date: 07/26/05


Date: 26 Jul 2005 12:17:59 GMT

Lawrence DčOliveiro <ldo@geek-central.gen.new_zealand> writes:

>In article <dbjal5$bhb$6@nntp.itservices.ubc.ca>,
> Unruh <unruh-spam@physics.ubc.ca> wrote:

>>Christophe Vandeplas <christophe@vandeplas.com> writes:
>>
>>>You should install cracklib and enable it in your pam.
>>>This library will test the password when the user changes it,
>>>if it's a (possible) unsecure password, it will warn the user.
>>>You can also configure it to only allow 'secure' passwords.
>>
>>It is somewhat ideosyncratic in its choice of what a bad password is. It
>>was also developed for the old 8 byte crypt(3) password, and is not as
>>useful for the md5based bsd password hash now in use.

>What difference does it make what hash is used? I thought the cracklib
>option would check the password the user entered _before_ it was
>encrypted.

It has been a while since I looked at the source code but when I did it was
strongly set up for 8 character passwords.Thus if you give it more it would
just test the first 8 if I recall properly. Also the md5 passwrods can
esentially be of arbitrary length, whcih makes cracking them much harder,
and makes the use of password checking less useful.