[plug] Password Composition

Christian christian at amnet.net.au
Mon Apr 10 13:50:00 WST 2000

On Mon, Apr 10, 2000 at 01:33:01PM +0800, Earnshaw, Mike wrote:
> My question is can the "check" of whether a password is bad or not be
> modified in some way? For example to force alternate upper/lower case and a
> mixture of numerals and alpha.

I don't think it can by default.  The conventional passwd(1) program
that distributes with Linux only tests for very trivial password complexity.
There is, however, at least two other "replacement" passwd programs
which allow you to define more complex rulesets for password composition
(the two I've heard of are npasswd and passwd+ but I'm not sure whether
these will work well with Linux, especially if you're using an MD5
crypt()).  In Debian there is a package for cracklib which allows you to
do Crack's password entropy tests at password creation time, however, I
don't think this is fully implemented (at least in Debian).

> I know it spits the dummy with common names etc. The man page on RH6 did not
> reveal much in way of configuration options.

You definitely don't want to use common names.

> Also, but not related to this immediate question, I once tried to select a
> root password with !@#$%^&*() characters within it. The system appeared to
> accept it, but would not allow me to log in. When I later read the man page
> for "passwd" a "!" is used to disable a password, so maybe that was my
> error? but are the other characters valid for a password?

The "!" character is just an invalid password hash which is why it is
often used to disable an account -- the fact that your password contains
a "!" is irrelevant since this is *prior* to hashing.  I suspect the
problem before was that you just mis-typed the password.  BTW, the password
!@#$%^&*() is a REALLY bad password for pretty obvious reasons...

My advice for passwords is:
- At least 8 characters (on non-MD5 crypt() systems this is the upper
  limit anyway)
- Non-dictionary words and non-names (in any language or 
- At least one non-alphabetic (i.e., punctuation, numbers, spaces etc.)
- Don't use them: use passphrases.  Assuming they're not overly simple
  suddenly it becomes much more difficult to guess what the hash might
  be plus you can be very creative with them and they're much more
  memorable than 8 cryptic characters.



More information about the plug mailing list