Date: Fri, 15 Aug 2003 01:47:30 -0700 From: Terry Lambert <tlambert2@mindspring.com> To: Glenn Johnson <gjohnson@srrc.ars.usda.gov> Cc: chat@freebsd.org Subject: Re: password strength checking not consistently implemented Message-ID: <3F3C9E22.D24F3C0A@mindspring.com> References: <20030814225453.GA1385@node1.cluster.srrc.usda.gov>
next in thread | previous in thread | raw e-mail | index | archive | help
Glenn Johnson wrote: > I have set up the password strength checking system using > pam_passwdqc.so, set in /etc/pam.d/passwd. I have also set up password > expiration. > > When a user issues the 'passwd' command, the password strength checking > module works as expected. When a user logs in via the console after the > password expiry time has passed, the login program prompts for a new > password before the session begins. However, this password change has > no strength check at all. Is there some other change I need to make to > may pam configuration? "Posted for someone who wishes to remain anyonyous": ---- I have this same problem. With password strength checking in place, it drastically reduces the search space that I need to cover in order to perform a brute force attack, by disallowing a large portion of the space I would otherwise need to pay attention to searching. Without the strength checking on the password change, I have to reexpand my search space to the entire search space, and it takes a lot longer to crack passwords. Please put a uniform "strength checking" algorithm in everywhere... Thanks, A. Hacker ---- 8-) 8-). -- Terry
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F3C9E22.D24F3C0A>