Unix Password Strength Tools(?)
Results 1 to 8 of 8

Thread: Unix Password Strength Tools(?)

  1. #1
    Member
    Join Date
    Feb 2003
    Posts
    94

    Unix Password Strength Tools(?)

    As some of you may have seen, our site is working on overall *nix security and also prepping for an internal and external audit of our security. To that end, of the questions that keeps coming up is ensuring that when users change their password, it follows the policy for -stronger- passwords; min of 8 chars, alpha-numeric, one special, no dictionary, etc, etc.

    Is there a software to make sure people don't pick 'easier' passwords akin to "happy1" that would integrate into the *nix OS? Meaning that the software would have various checks built in to ensure 'stronger' passwords are picked? So far I have found bupkous.

    Hopefully this makes sense.

    Thanks in advance.

    \"Quis custodiet ipsos custodes?\"
    -Juvenal

  2. #2
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953
    are you looking at the plaintext passwords, or the crypted passwords...
    Perl Crypt ->
    Encrypts a string exactly like the crypt(3) function in the C library (assuming that you actually have a version there that has not been extirpated as a potential munition). This can prove useful for checking the password file for lousy passwords, amongst other things. Only the guys wearing white hats should do this.
    You could write your own perl script (for free) pretty easily...

    Or you could prolly use "John the ripper" or something similar -> http://www.openwall.com/john/
    yeah, I\'m gonna need that by friday...

  3. #3
    Member
    Join Date
    Feb 2003
    Posts
    94
    Would be the encrypted passwords. And I was jus thinking about maybe using perl. I can't tell you how many times we found passwords like bubba and a number of fluffy and a number. Course now I am already seeing that if we can enforce stronger passwords, more people will start writing them down -- unless we also look at some sorta password keeper. Ya - like "TrapperKeeper2000"! Man - I can already see this sprialing off to other works and fun. I will take a look at what we can do in perl.

    Thanks for the tip and link.
    \"Quis custodiet ipsos custodes?\"
    -Juvenal

  4. #4
    Junior Member
    Join Date
    Mar 2003
    Posts
    16
    If I were you, I would make a PHP web page that people have to go to in order to change their password. This way you can control how many characters long the password is and what is contained within the password string.

    On the other hand, you could probably integrated a PHP or Perl script into an existing program to do this as well. It's fairly easy to do, and doing it yourself insures 100% accuracy of what you want. You would also be able to go back and make changes to the script any time you need to change password requirements.

    D'elTarra

  5. #5
    Member
    Join Date
    Mar 2003
    Posts
    99
    Web enabling the password change would be most beneficial to the users. I found an article from SysAdmin that goes over passwords....It doesn't deal with web enabled password changes, but I hope it can help....

    http://www.samag.com/documents/s=114...108g/0108g.htm

  6. #6
    Senior Member problemchild's Avatar
    Join Date
    Jul 2002
    Posts
    551
    I believe cracklib is what you're looking for. From the readme:

    CrackLib is a library containing a C function (well, lots of functions
    really, but you only need to use one of them) which may be used in a
    "passwd"-like program.

    The idea is simple: try to prevent users from choosing passwords that
    could be guessed by "Crack" by filtering them out, at source

    .......

    * It tries to generate words from your username and gecos entry to tries
    to match them against what you've chosen.

    * It checks for simplistic patterns.

    * It then tries to reverse-engineer your password into a dictionary
    word, and searches for it in your dictionary.
    Available at http://www.crypticide.org/users/alecm/
    Do what you want with the girl, but leave me alone!

  7. #7
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    Indeed problemchild. Cracklib is a solution. That will not allow any weak passwords (unless you are root).

    vescovono : Also take a little look at this link HERE!

    There are ways to have strong passwords and remember them too. I hope the link helps you.

    Cheers.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  8. #8
    Senior Member
    Join Date
    Aug 2002
    Posts
    508
    hi,

    cracklib it's good option , if you on FreeBSD you can install it under /usr/ports/security/cracklib

    cheers
    Not an image or image does not exist!
    Not an image or image does not exist!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •