From owner-freebsd-chat@FreeBSD.ORG Fri Aug 15 01:48:44 2003 Return-Path: Delivered-To: freebsd-chat@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2D68A37B401 for ; Fri, 15 Aug 2003 01:48:44 -0700 (PDT) Received: from stork.mail.pas.earthlink.net (stork.mail.pas.earthlink.net [207.217.120.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 958CA43F75 for ; Fri, 15 Aug 2003 01:48:43 -0700 (PDT) (envelope-from tlambert2@mindspring.com) Received: from user-2ivfj3i.dialup.mindspring.com ([165.247.204.114] helo=mindspring.com) by stork.mail.pas.earthlink.net with asmtp (SSLv3:RC4-MD5:128) (Exim 3.33 #1) id 19naGH-0002WI-00; Fri, 15 Aug 2003 01:48:41 -0700 Message-ID: <3F3C9E22.D24F3C0A@mindspring.com> Date: Fri, 15 Aug 2003 01:47:30 -0700 From: Terry Lambert X-Mailer: Mozilla 4.79 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Glenn Johnson References: <20030814225453.GA1385@node1.cluster.srrc.usda.gov> Content-Type: text/plain; charset=big5 Content-Transfer-Encoding: 7bit X-ELNK-Trace: b1a02af9316fbb217a47c185c03b154d40683398e744b8a478de3929f986a1641c4918d076f8839c350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c cc: chat@freebsd.org Subject: Re: password strength checking not consistently implemented X-BeenThere: freebsd-chat@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Non technical items related to the community List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Aug 2003 08:48:44 -0000 Glenn Johnson wrote: > I have set up the password strength checking system using > pam_passwdqc.so, set in /etc/pam.d/passwd. I have also set up password > expiration. > > When a user issues the 'passwd' command, the password strength checking > module works as expected. When a user logs in via the console after the > password expiry time has passed, the login program prompts for a new > password before the session begins. However, this password change has > no strength check at all. Is there some other change I need to make to > may pam configuration? "Posted for someone who wishes to remain anyonyous": ---- I have this same problem. With password strength checking in place, it drastically reduces the search space that I need to cover in order to perform a brute force attack, by disallowing a large portion of the space I would otherwise need to pay attention to searching. Without the strength checking on the password change, I have to reexpand my search space to the entire search space, and it takes a lot longer to crack passwords. Please put a uniform "strength checking" algorithm in everywhere... Thanks, A. Hacker ---- 8-) 8-). -- Terry