Re: Password Security Policy Question

[woods () weird com (Greg A. Woods)]

[ On Tuesday, September 10, 2002 at 20:51:24 (+0200), Roman Drahtmueller wrote: ]
> Subject: Re: Password Security Policy Question
>
> To have a more satisfactory solution, you could make your system use
> cracklib or similar to check the strength of a new password. It will be
> bitching at you then.

Since it seems "we" will be stuck with using normal passwords for
authentication to unix systems for some time yet it had always amazed me
that nobody has integrated cracklib into any of the free unix systems.
So nearly two and a half years ago I did exactly that for NetBSD.

        http://www.netbsd.org/cgi-bin/query-pr-single.pl?number=10206

I'm still amazed that nothing has been done with my submitted patches
since, not in NetBSD nor in any of the other free unix systems so far as
I know.

Of course if an attacker knows that the passwords on any given system
are not easily guessable by cracklib using at minimum the default
dictionaries then the search space is similarly reduced.  However until
someone produces a version of 'crack' or similar that can systematically
test every password which 'crack' would normally _not_ test, I believe
the bar has been raised.  More to the point, since NetBSD has shadow
passwords by default and thus offline cracking is much less likely, I
believe that with these patches the chance an attacker can successfully
guess a password at the telnet/login/sshd prompt before being detected
(by automated daily failed login audits, for example) has been reduced,
perhaps significantly.

-- 
                                                                Greg A. Woods

+1 416 218-0098;            <g.a.woods () ieee org>;           <woods () robohack ca>
Planix, Inc. <woods () planix com>; VE3TCP; Secrets of the Weird <woods () weird com>