Christophe Vandeplas <christophe@vandeplas.com> writes:
>Proteus wrote:
>> So for my purposes, the main (good) use of a password cracking program is to
>> test whether my users' (and mine, ie root) passwords are strong, right?
>> (that is my intended purpose). And how long do I let the password cracking
>> program run before I assume my passwords are strong-- I mean one could in
>> theory let the cracking program run for days or weeks. When is enough
>> enough, when is a password considered strong enough (and how do I know if a
>> password I create is strong enough to thwart crackers?)?
>You should install cracklib and enable it in your pam.
It is already there on most distributions.
>This library will test the password when the user changes it,
>if it's a (possible) unsecure password, it will warn the user.
>You can also configure it to only allow 'secure' passwords.
It is somewhat ideosyncratic in its choice of what a bad password is. It
was also developed for the old 8 byte crypt(3) password, and is not as
useful for the md5based bsd password hash now in use.
>This will enable you to have some control over the passwords of the
>users, without the need of asking them what they entered as password.
I will Muffet would have introduced password shaping (Ie so you could
specify what passwords types you felt were inappropriate) Muffet's choice
sometimes is too stringent and sometimes too lenient IMHO
>I think this is what you need.
As I said he probably has it. It comes standard with PAM.
>When is a password strong enough? Depends for what purpose it is used...
>--
>-------------------------------------
>Christophe 'ElCascador' Vandeplas
>GSM: +32 (0)486/64.10.33
>email: christophe(at)vandeplas(dot)com
>http://www.vandeplas.com
>GnuPG:1024D/14913897: 66BD A9EB 0357 D80F 20D4 D698 3B2B E562 1491 3897
>-------------------------------------
>*** PLEASE ***
>"Never send mass-mails/forward to this email address.
> Please add the email-address to the BCC field (Blind Carbon Copy)
> or send the mail separately to me."