1 Heimdal includes a capability to plug in external password quality checks
2 and comes with an example that checks passwords against CrackLib.
3 However, in testing at Stanford, we found that CrackLib with its default
4 transform rules does not catch passwords that can be guessed using the
5 same dictionary with other tools, such as Jack the Ripper. We then
6 discovered other issues with CrackLib with longer passwords, such as some
7 bad assumptions about how certain measures of complexity will scale, and
8 wanted to impose other limitations that it didn't support.
10 This plugin provides the ability to check password quality against the
11 standard version of CrackLib, or against a modified version of CrackLib
12 that only passes passwords that resist attacks from both Crack and Jack
13 the Ripper using the same rule sets. It also supports doing simpler
14 dictionary checks against a CDB database, which is fast with very large
15 dictionaries, or a SQLite database, which can reject all passwords within
16 edit distance one of a dictionary word. It can also impose other
17 programmatic checks on passwords such as character class requirements.
19 If you're just now starting with password checking, I recommend using the
20 SQLite database with a large wordlist and minimum password lengths. We
21 found this produced the best results with the least user frustration.
23 For Heimdal, krb5-strength includes both a program usable as an external
24 password quality check and a plugin that implements the dynamic module
25 API. For MIT Kerberos (1.9 or later), it includes a plugin for the
26 password quality (pwqual) plugin API.
28 krb5-strength can be built with either the system CrackLib or with the
29 modified version of CrackLib included in this package. Note, however,
30 that if you're building against the system CrackLib, Heimdal includes in
31 the distribution a strength-checking plugin and an external password check
32 program that use the system CrackLib. With Heimdal, it would probably be
33 easier to use that plugin or program than build this package unless you
34 want the modified CrackLib, one of the other dictionary types, or the
35 additional character class and length checks.
37 For information about the changes to the CrackLib included in this
38 toolkit, see `cracklib/HISTORY`. The primary changes are tighter rules,
39 which are more aggressive at finding dictionary words with characters
40 appended and prepended, which tighten the requirements for password
41 entropy, and which add stricter rules for longer passwords. They are also
42 minor changes to fix portability issues, remove some code that doesn't
43 make sense in the kadmind context, and close a few security issues. The
44 standard CrackLib distribution on at least some Linux distributions now
45 supports an additional interface to configure its behavior, and
46 krb5-strength should change in the future to use that interface and drop
49 krb5-strength also includes a password history implementation for Heimdal.
50 This is separate from the password strength implementation but can be
51 stacked with it so that both strength and history checks are performed.
52 This history implementation is available only via the Heimdal external
53 password quality interface. MIT Kerberos includes its own password
54 history implementation.
projects / kerberos / krb5-strength.git / blob