Unix Password Strength Tools(?)

[vescovono]

As some of you may have seen, our site is working on overall *nix security and also prepping for an internal and external audit of our security. To that end, of the questions that keeps coming up is ensuring that when users change their password, it follows the policy for -stronger- passwords; min of 8 chars, alpha-numeric, one special, no dictionary, etc, etc.

Is there a software to make sure people don't pick 'easier' passwords akin to "happy1" that would integrate into the *nix OS? Meaning that the software would have various checks built in to ensure 'stronger' passwords are picked? So far I have found bupkous.

Hopefully this makes sense.

Thanks in advance.

[tampabay420]

are you looking at the plaintext passwords, or the crypted passwords...
Perl Crypt ->

Encrypts a string exactly like the crypt(3) function in the C library (assuming that you actually have a version there that has not been extirpated as a potential munition). This can prove useful for checking the password file for lousy passwords, amongst other things. Only the guys wearing white hats should do this.

You could write your own perl script (for free) pretty easily...

Or you could prolly use "John the ripper" or something similar -> http://www.openwall.com/john/

[vescovono]

Would be the encrypted passwords. And I was jus thinking about maybe using perl. I can't tell you how many times we found passwords like bubba and a number of fluffy and a number. Course now I am already seeing that if we can enforce stronger passwords, more people will start writing them down -- unless we also look at some sorta password keeper. Ya - like "TrapperKeeper2000"! Man - I can already see this sprialing off to other works and fun. I will take a look at what we can do in perl.

Thanks for the tip and link.

[DelTarra]

If I were you, I would make a PHP web page that people have to go to in order to change their password. This way you can control how many characters long the password is and what is contained within the password string.

On the other hand, you could probably integrated a PHP or Perl script into an existing program to do this as well. It's fairly easy to do, and doing it yourself insures 100% accuracy of what you want. You would also be able to go back and make changes to the script any time you need to change password requirements.

D'elTarra

[d0ppelg@nger]

Web enabling the password change would be most beneficial to the users. I found an article from SysAdmin that goes over passwords....It doesn't deal with web enabled password changes, but I hope it can help....

http://www.samag.com/documents/s=114...108g/0108g.htm

[problemchild]

I believe cracklib is what you're looking for. From the readme:

CrackLib is a library containing a C function (well, lots of functions
really, but you only need to use one of them) which may be used in a
"passwd"-like program.

The idea is simple: try to prevent users from choosing passwords that
could be guessed by "Crack" by filtering them out, at source

.......

* It tries to generate words from your username and gecos entry to tries
to match them against what you've chosen.

* It checks for simplistic patterns.

* It then tries to reverse-engineer your password into a dictionary
word, and searches for it in your dictionary.

Available at http://www.crypticide.org/users/alecm/

[instronics]

Indeed problemchild. Cracklib is a solution. That will not allow any weak passwords (unless you are root).

vescovono : Also take a little look at this link HERE!

There are ways to have strong passwords and remember them too. I hope the link helps you.

Cheers.

[sweet_angel]

hi,

cracklib it's good option , if you on FreeBSD you can install it under /usr/ports/security/cracklib

cheers