password quality script aka --with-cracklib replacement

David Collier-Brown -- Customer Engineering David.Collier-Brown at
Thu Feb 13 21:11:40 GMT 2003

Andrew Bartlett wrote:
> 		or else your users change from password1
> to password2 to password3 then back to password1.

	They sure do! I hate that...

	I spoke to my colleague, and he refreshed my memory
	about that part: we variously used crypt or an MD4
	hash to encrypt passwords and stored the encrypted
	form in a lookup table of N elements per user. If 
	someone changed their password, we encrypted it
	and looked to se if it was already there, and if not
	replaced the oldest stored copy.

	To avoid collisions with other people's
	passwords causing false positives, we generated 
	a salt from the userid, and applied it as part of 
	the encryption, but did not store the salt in the 
	lookup table so you couldn't see it was salted
	deterninistically from just looking at the 

David Collier-Brown,           | Always do right. This will gratify 
Sun Microsystems DCMO          | some people and astonish the rest.
Toronto, Ontario               |
(905) 415-2849 or x52849       | davecb at

More information about the samba-technical mailing list