Re: password cracking question
From: Unruh (unruh-spam_at_physics.ubc.ca)
Date: 26 Jul 2005 12:17:59 GMT
Lawrence DčOliveiro <email@example.com_zealand> writes:
>In article <firstname.lastname@example.org>,
> Unruh <email@example.com> wrote:
>>Christophe Vandeplas <firstname.lastname@example.org> writes:
>>>You should install cracklib and enable it in your pam.
>>>This library will test the password when the user changes it,
>>>if it's a (possible) unsecure password, it will warn the user.
>>>You can also configure it to only allow 'secure' passwords.
>>It is somewhat ideosyncratic in its choice of what a bad password is. It
>>was also developed for the old 8 byte crypt(3) password, and is not as
>>useful for the md5based bsd password hash now in use.
>What difference does it make what hash is used? I thought the cracklib
>option would check the password the user entered _before_ it was
It has been a while since I looked at the source code but when I did it was
strongly set up for 8 character passwords.Thus if you give it more it would
just test the first 8 if I recall properly. Also the md5 passwrods can
esentially be of arbitrary length, whcih makes cracking them much harder,
and makes the use of password checking less useful.