password quality script aka --with-cracklib replacement

John E. Malmberg wb8tyw at
Sat Feb 15 06:07:48 GMT 2003

John H Terpstra wrote:
> On Thu, 13 Feb 2003, John E. Malmberg wrote:
>>The storage time needs to be timed based, not number of changes.
> Usually, minimum time till change is again permitted as well as ultimate
> password expiry if not changed time 'usually dat or # days based.

I consider that a security hole.  A user should be able to change their 
password at any time.  They do not want to admit that someone may have 
seen them enter their password.

>>OpenVMS does not have the security hole where a user is forbidden to
>>change a password for a period of time from the last change, so that a
>>user must notify the system administrator when they think a recently
>>changed password was compromised.
>>Frequent password changes also lead to passwords that are more easily
>>cracked by social engineering methods.  Usually if you have learned a
>>past password, a human can figure out all future passwords.
> From my site auditing work I could not agree with this generalization. It
> might be the case with < 10% of the people I had exposure to. But then
> this would be moderated if the site has a documented password security
> and change policy.

You are right about over generalizations.  It really depends on the 
population of users that you are auditing, and if you are running a 
crack program, how successfull you are in finding out what the passwords 
are.  I have had to provide the backup support for a help desk, and one 
of the platforms required the help desk operators to log in as the 
users.  The proper procedure on other platforms would be to temporarily 
override the password with a new one, but that was not practical here, 
so the users would give their passwords to the help desk operators.

One of the latest trends to try to get people to have a secure password 
is to compare so many characters from new password for the last N.  That 
requires storing several plain text passwords.  Not good.  But some one 
seems to think so.

But I doubt that password guessing is the cause of most security 
problems, inspite of all the focus on them.  Nor do I think that 
industrial spies really spend much time trying to bypass computer 
controls.  Cheap low tech human engineering works most of the time, and 
it is cheaper to bribe a disgruntled employee than to hire a 
professional cracker.

And sometimes when you make the security policies too tight, and the 
users do not think they need to be, they will bypass them behind your 
back in ways that can not be easily detected.

wb8tyw at
Personal Opinion Only

More information about the samba-technical mailing list