FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 01-20-2009, 06:43 AM
Mark Allums
 
Default Password security/Weak Password lockout

Paul Gupta wrote:
By what mechanism does debian decide whether or not a password is too
weak etc.


I have seen opensuse and perhaps fedora do the same thing during the
installation. It'll spit out a warning saying similar to "This password
is too weak, are you sure you want to use it?"


I'm assuming (which I hate to do, which is why I'm asking) that it's
using the same thing across all of these different distros.


What is it exactly? AND How would one configure it to be stricter or
more lenient with password selection?


Thank you!


It's a heuristic. I thought everybody made up their own. I didn't
think that there was a uniform standard. It would have to change pretty
often.

Basically, all the rules like length, mixed case, no dictionary words,
numerals and special characters encouraged, no birthdays or dates, etc.
All that stuff rolled into a degree of fitness. A minimum fitness
required to pass.

Mark Allums





--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 01-20-2009, 06:45 AM
Juha Tuuna
 
Default Password security/Weak Password lockout

Paul Gupta wrote:
> By what mechanism does debian decide whether or not a password is too
> weak etc.
> ...
> What is it exactly? AND How would one configure it to be stricter or
> more lenient with password selection?

I use libpam-cracklib to protect from dictionary attacks. Also installed some
dictionaries, see apt-cache search dictionary | grep "/usr/share/dict"

/etc/pam.d/common-password:
password required pam_cracklib.so retry=3 minlen=10 difok=3

3 retries, minimum length of password 10 characters, 3 characters is allowed
to match with the previous password.

Hope that gets you started. Maybe check this out, too.
http://www.linuxsecurity.com/resource_files/host_security/securing-debian-howto/ap-checklist.en.html


--
Juha Tuuna


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 01-20-2009, 06:49 AM
Mark Allums
 
Default Password security/Weak Password lockout

Paul Gupta wrote:
By what mechanism does debian decide whether or not a password is too
weak etc.


I have seen opensuse and perhaps fedora do the same thing during the
installation. It'll spit out a warning saying similar to "This password
is too weak, are you sure you want to use it?"


I'm assuming (which I hate to do, which is why I'm asking) that it's
using the same thing across all of these different distros.


What is it exactly? AND How would one configure it to be stricter or
more lenient with password selection?


Thank you!


It's a heuristic. I thought everybody made up their own. I didn't
think that there was a uniform standard. It would have to change pretty
often.


Basically, all the rules like length, mixed case, no dictionary words,
numerals and special characters encouraged, no birthdays or dates, etc.
All that stuff rolled into a degree of fitness. A minimum fitness
required to pass.


Mark Allums




--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 01-20-2009, 01:54 PM
Daniel Burrows
 
Default Password security/Weak Password lockout

On Tue, Jan 20, 2009 at 02:07:52AM -0500, Paul Gupta <wubrgamer@gmail.com> was heard to say:
> I have seen opensuse and perhaps fedora do the same thing during the
> installation. It'll spit out a warning saying similar to "This password
> is too weak, are you sure you want to use it?"
>
> I'm assuming (which I hate to do, which is why I'm asking) that it's
> using the same thing across all of these different distros.
>
> What is it exactly? AND How would one configure it to be stricter or
> more lenient with password selection?

I think you need to look at /etc/pam.d/common-password (which I found
by first looking in /etc/pam.d/passwd).

Daniel


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 05:12 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org