password strength checking not consistently implemented
Terry Lambert
tlambert2 at mindspring.com
Fri Aug 15 01:48:44 PDT 2003
Glenn Johnson wrote:
> I have set up the password strength checking system using
> pam_passwdqc.so, set in /etc/pam.d/passwd. I have also set up password
> expiration.
>
> When a user issues the 'passwd' command, the password strength checking
> module works as expected. When a user logs in via the console after the
> password expiry time has passed, the login program prompts for a new
> password before the session begins. However, this password change has
> no strength check at all. Is there some other change I need to make to
> may pam configuration?
"Posted for someone who wishes to remain anyonyous":
----
I have this same problem.
With password strength checking in place, it drastically reduces
the search space that I need to cover in order to perform a brute
force attack, by disallowing a large portion of the space I would
otherwise need to pay attention to searching.
Without the strength checking on the password change, I have to
reexpand my search space to the entire search space, and it takes
a lot longer to crack passwords.
Please put a uniform "strength checking" algorithm in everywhere...
Thanks,
A. Hacker
----
8-) 8-).
-- Terry
More information about the freebsd-chat
mailing list