#1 Password Strength test need improvement

open
None
2
2009-11-14
2008-12-22
Anonymous
No

I've been meaning to file this one for years (pretty much since I first encountered cracklib). The current password strength mechanism needs improvement. It currently discourages some forms of good passwords while encouraging some forms of bad passwords.

When analyzing passwords, among other checks, cracklib will remove all non-alpha characters and see if it has a word. The problem with this is it doesn't provide a very accurate assessment of the password. Take this example of a password:

?h#e!l-l+0%

In this case, the word 'hello' is intersperced with various special characters making for a very strong password. However, cracklib will report the password as weak. It's an example where removing the characters to perform the check is easy, however in reality a brute force attack would actually be very difficult.

On the flip side, cracklib is quick to judge weak passwords in the form of leet speak as strong, despite the fact that leet speak crack dictionaries are as easy to implement as standard latin dictionaries. For example 'h3ll0w0r1d' would be deemed strong even though it is far more easily guessed than the previous example.

Please email dbialac_at_yahoo_com if you have any questions.

Discussion

  • Use a better dictionary that includes leet speak

     
  • Jan Dittberner
    Jan Dittberner
    2009-11-14

    I think generating a l33t sp34k dictionary from i.e. an english language dictionary is the better approach than putting rules for generating such transliterations into cracklib.

     
  • Jan Dittberner
    Jan Dittberner
    2009-11-14

    • priority: 5 --> 2
    • assigned_to: nobody --> jandd