From 54c730c1a33d00ede9c64b73568a0fdb19431c16 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Thu, 12 Dec 2013 17:28:09 -0800 Subject: [PATCH] Update README with more details about new checking rules The description section didn't mention the non-CrackLib capabilities, and README never spelled out how CDB dictionaries were checked. Fix both of those oversights. --- README | 42 +++++++++++++++++++++++++++++------------- 1 file changed, 29 insertions(+), 13 deletions(-) diff --git a/README b/README index 715a536..bf591d1 100644 --- a/README +++ b/README @@ -27,15 +27,23 @@ DESCRIPTION checks and comes with an example that checks passwords against CrackLib. However, in testing at Stanford, we found that CrackLib with its default transform rules does not catch passwords that can be guessed using the - same dictionary with other tools, such as Jack the Ripper. + same dictionary with other tools, such as Jack the Ripper. We then + discovered other issues with CrackLib with longer passwords, such as + some bad assumptions about how certain measures of complexity will + scale, and wanted to impose other limitations that it didn't support. This plugin provides the ability to check password quality against the standard version of CrackLib, or against a modified version of CrackLib that only passes passwords that resist attacks from both Crack and Jack - the Ripper using the same rule sets. For Heimdal, it includes both a - program usable as an external password quality check and a plugin that - implements the dynamic module API. For MIT Kerberos (1.9 or later), it - includes a plugin for the password quality (pwqual) plugin API. + the Ripper using the same rule sets. It also supports doing simpler + dictionary checks against a CDB database, which is fast with very large + dictionaries, and imposing other programmatic checks on passwords such + as character class requirements. + + For Heimdal, it includes both a program usable as an external password + quality check and a plugin that implements the dynamic module API. For + MIT Kerberos (1.9 or later), it includes a plugin for the password + quality (pwqual) plugin API. krb5-strength can be built with either the system CrackLib or with the modified version of CrackLib included in this package. Note, however, @@ -79,9 +87,7 @@ REQUIREMENTS You can also optionally build against the TinyCDB library, which provides support for simpler and faster password checking against a CDB - dictionary file. Building a CDB dictionary with cdbmake-wordlist - (included) requires Perl 5.006 or later and the CDB utility that comes - with TinyCDB. + dictionary file. For this module to be effective for either Heimdal or MIT Kerberos, you will also need to construct a dictionary. The mkdict and packer @@ -89,9 +95,11 @@ REQUIREMENTS in this toolkit but not installed by default. You can run them out of the cracklib directory after building. You can also use the utilities that come with the stock CrackLib package (often already packaged in a - Linux distribution); the database format is compatible. For building a - CDB dictionary, use the provided cdbmake-wordlist program. The CDB - utility must be on your PATH. + Linux distribution); the database format is compatible. + + For building a CDB dictionary, use the provided cdbmake-wordlist + program. The CDB utility must be on your PATH. cdbmake-wordlist + requires Perl 5.006 or later. For a word list to use as source for the dictionary, you can use /usr/share/dict/words if it's available on your system, but it would be @@ -228,7 +236,11 @@ CONFIGURATION dictionary. The provided path should be the full path to the dictionary files, omitting the trailing *.hwm, *.pwd, and *.pwi extensions for the CrackLib dictionary. You can use either or both settings. If you use - both, CrackLib will be checked first, and then CDB. + both, CrackLib will be checked first, and then CDB. When checking a CDB + database, the password, the password with the first character removed, + the last character removed, the first and last characters removed, the + first two characters removed, and the last two characters removed will + all be checked against the dictionary. Then, for the external password checking program, add a new section (or modify the existing [password_quality] section) to look like the @@ -286,7 +298,11 @@ CONFIGURATION dictionary. The provided path should be the full path to the dictionary files, omitting the trailing *.hwm, *.pwd, and *.pwi extensions for the CrackLib dictionary. You can use either or both settings. If you use - both, CrackLib will be checked first, and then CDB. + both, CrackLib will be checked first, and then CDB. When checking a CDB + database, the password, the password with the first character removed, + the last character removed, the first and last characters removed, the + first two characters removed, and the last two characters removed will + all be checked against the dictionary. The second option is to use the normal dict_path setting. In the [realms] section of your krb5.conf kdc.conf, under the appropriate realm -- 2.39.2