X-Git-Url: https://git.eyrie.org/?a=blobdiff_plain;f=docs%2Fmetadata%2Fdescription;fp=docs%2Fmetadata%2Fdescription;h=0000000000000000000000000000000000000000;hb=510f358be6a968b5640b0b554118a08aa554d8cf;hp=6f62f227720013fec3293c57aab00b74f2839ddc;hpb=42bbbcfb783fe4e2e698b31472ed640d49baed8c;p=kerberos%2Fkrb5-strength.git diff --git a/docs/metadata/description b/docs/metadata/description deleted file mode 100644 index 6f62f22..0000000 --- a/docs/metadata/description +++ /dev/null @@ -1,54 +0,0 @@ -Heimdal includes a capability to plug in external password quality checks -and comes with an example that checks passwords against CrackLib. -However, in testing at Stanford, we found that CrackLib with its default -transform rules does not catch passwords that can be guessed using the -same dictionary with other tools, such as Jack the Ripper. We then -discovered other issues with CrackLib with longer passwords, such as some -bad assumptions about how certain measures of complexity will scale, and -wanted to impose other limitations that it didn't support. - -This plugin provides the ability to check password quality against the -standard version of CrackLib, or against a modified version of CrackLib -that only passes passwords that resist attacks from both Crack and Jack -the Ripper using the same rule sets. It also supports doing simpler -dictionary checks against a CDB database, which is fast with very large -dictionaries, or a SQLite database, which can reject all passwords within -edit distance one of a dictionary word. It can also impose other -programmatic checks on passwords such as character class requirements. - -If you're just now starting with password checking, I recommend using the -SQLite database with a large wordlist and minimum password lengths. We -found this produced the best results with the least user frustration. - -For Heimdal, krb5-strength includes both a program usable as an external -password quality check and a plugin that implements the dynamic module -API. For MIT Kerberos (1.9 or later), it includes a plugin for the -password quality (pwqual) plugin API. - -krb5-strength can be built with either the system CrackLib or with the -modified version of CrackLib included in this package. Note, however, -that if you're building against the system CrackLib, Heimdal includes in -the distribution a strength-checking plugin and an external password check -program that use the system CrackLib. With Heimdal, it would probably be -easier to use that plugin or program than build this package unless you -want the modified CrackLib, one of the other dictionary types, or the -additional character class and length checks. - -For information about the changes to the CrackLib included in this -toolkit, see `cracklib/HISTORY`. The primary changes are tighter rules, -which are more aggressive at finding dictionary words with characters -appended and prepended, which tighten the requirements for password -entropy, and which add stricter rules for longer passwords. They are also -minor changes to fix portability issues, remove some code that doesn't -make sense in the kadmind context, and close a few security issues. The -standard CrackLib distribution on at least some Linux distributions now -supports an additional interface to configure its behavior, and -krb5-strength should change in the future to use that interface and drop -the embedded copy. - -krb5-strength also includes a password history implementation for Heimdal. -This is separate from the password strength implementation but can be -stacked with it so that both strength and history checks are performed. -This history implementation is available only via the Heimdal external -password quality interface. MIT Kerberos includes its own password -history implementation.