[Savannah-users] password must be more complicated

[Bob Proulx]

Hi Bruce,

Bruce Korb wrote:
> Now that passwords are a teeny tad more of a nuisance,

The change posted should make them easier to use not harder to use.
Let me explain and then perhaps you can describe your problems.
Because I also see problems and am about to propose an additional
change.

We went from this to that:

  pwqcheck option changes

  - min=disabled,24,11,8,7
  + min=24,24,11,8,7
  - max=40
  + max=256

Where:

     min=N0,N1,N2,N3,N4

             (default: min=disabled,24,11,8,7) The minimum allowed
             password lengths for different kinds of
             passwords/passphrases.  The keyword disabled can be used
             to disallow passwords of a given kind regardless of their
             length.  Each subsequent number is required to be no
             larger than the preceding one.

             N0 is used for passwords consisting of characters from
             one character class only.  The character classes are:
             digits, lower-case letters, upper-case letters, and
             other characters.  There is also a special class for
             non-ASCII characters, which could not be classified, but
             are assumed to be non-digits.

The previous was "disabled" so no amount of single class (lower case
for example) characters would be enough.  But now you could type in 24
of them and it would be "good enough".  Previously this was disabled.

             N1 is used for passwords consisting of characters from
             two character classes that do not meet the requirements
             for a passphrase.

No change.  Still 24 characters.

             N2 is used for passphrases.  Note that besides meeting
             this length requirement, a passphrase must also consist
             of a sufficient number of words (see the passphrase
             option below).

No change.  Still 11 characters.

             N3 and N4 are used for passwords consisting of characters
             from three and four character classes, respectively.

No change.  Still 8,7 characters.

       max=N (default: max=40) The maximum allowed password length.
             This can be used to prevent users from setting passwords
             that may be too long for some system services.  The
             value 8 is treated specially: if max is set to 8,
             passwords longer than 8 characters will not be rejected,
             but will be truncated to 8 characters for the strength
             checks and the user will be warned.  This is to be used
             with the traditional DES-based password hashes, which
             truncate the password at 8 characters.

Increased the allowed length from 40 to 256.

So previously passwords that were all lower case, one character class,
were disabled.  The change makes them valid if there are enough of
them.  Ineiev posted that suggestion and implemented it.  (Thanks
Ineiev!)  Seemed reasonable to me.  I think that could only be an
improvement.  Do you agree?

But playing around with things I find some crazy behavior.  Check this
out.  I ran pwgen to create random passwords.  I tried some.  The
first several I tried failed.  Others did work.

  $ echo ohtaOe0h | pwqcheck -1 max=256 min=disabled,24,11,8,7
  Bad passphrase (based on a dictionary word and not a passphrase)

  $ echo uChiel9m | pwqcheck -1 max=256 min=disabled,24,11,8,7
  Bad passphrase (based on a dictionary word and not a passphrase)

  $ echo Iephoo3i | pwqcheck -1 max=256 min=24,24,11,8,7
  Bad passphrase (not enough different characters or classes for this length)

  $ echo ox8iChae | pwqcheck -1 max=256 min=24,24,11,8,7
  OK

Those were completely randomly generated and yet they fail the
checker?  That doesn't seem reasonable.  Part of the problem seems to
be the match check.

     match=N (default: match=4) The length of common substring
             required to conclude that a password is at least
             partially based on information found in a character
             string, or 0 to disable the substring search.  Note that
             the password will not be rejected once a weak substring
             is found; it will instead be subjected to the usual
             strength requirements with the weak substring partially
             discounted.

Setting match=0 seems to help with the "dictionary" issue.

  $ echo ohtaOe0h | pwqcheck -1 match=0 max=256 min=disabled,24,11,8,7
  OK

  $ echo uChiel9m | pwqcheck -1 match=0 max=256 min=disabled,24,11,8,7
  OK

But not all of the problems.

  $ echo Iephoo3i | pwqcheck -1 match=0 max=256 min=24,24,11,8,7
  Bad passphrase (not enough different characters or classes for this length)

That has three character classes, lower, upper, digits, and so should
need N3=8 characters.  It is 8 characters long and so should meet the
requirements.  But it doesn't.  By experimentation it is N1 which is
the controlling variable in the above.  But I can't reconcile that
against ox8iChae being okay.  There is no difference between them.

  $ echo Iephoo3i | pwqcheck -1 match=0 max=256 min=24,8,8,8,8
  OK

Does anyone see why the results are so crazy using pwqcheck?  Is this
problem causing users grief?  Or a different problem?

Taking a completely different approach...  Does anyone have a good
method of checking and ensuring password strength?  The goal isn't to
use pwqcheck but to try to avoid the too-weak password problem.

Bob