Sunday February 28th 2021 - Update issue with packman inode mirror
There are issues with the inode mirror, please configure an alternative mirror. See http://packman.links2linux.org/mirrors
-
 cracklib application?
I was installing 11.1 and it tests passwords with cracklib - this is a great idea... Our company was shut down by a runaway virus a couple of times in the last decade. It turns out my Lotus Notes password is in cracklib!! So those viruses (or whatever) must have accessed our Lotus Notes records.
The only way I found this out was that, on a whim, I tried my Lotus Notes password during an install of 11.1. Now, I'm looking for an application that interfaces to cracklib to test passwords, and I've found password generators, etc., but none with a built-in cracklib interface. Does anyone know of an application that can do this? I'd like to test my passwords, but dont' want to have to run the installer every time I need to check a password!
THANKS!!!
 Patti 
-
 Re: cracklib application?
OK - my bad - I guess YaST checks these, so I guess I could just use YaST to change a password and it will be tested against cracklib.
It reports that my LN password is "based on a dictionary word" - what does that mean?
-
Re: cracklib application?
it means one or more parts of your password contains a word that can be found in a dictionary,or can create a word that is in a dictionary
Andy
To be is to do = Immanuel Kant
To do is to be = Descartes.
Do be do be do = Frank Sinatra
SuSE user since 7.0,Linux user since 1994
-
Re: cracklib application?
Thanks, Andy!! That seemed like what it might mean, but the password is 6 random letters uppercase and lowercase. Do password hackers do all combinations of words in a dictionary? Do you know if there's a way to get more information about how this part is actually *in* cracklib?
-
Re: cracklib application?
PattiMichelle wrote:
> Thanks, Andy!! That seemed like what it might mean, but the password is
> 6 random letters uppercase and lowercase. Do password hackers do all
> combinations of words in a dictionary? Do you know if there's a way to
> get more information about how this part is actually *in* cracklib?
there is a good reason why most folks recommend longer than six
letters AND at least one number and punctuation mark/symbol
doing so decreases the likelihood the six characters being included in
a crackers dictionary attack..
https://www.grc.com/passwords.htm is a pretty good place to get a new
'random' password.....while there, read the section "When does size
matter?"
--
goldie
Give a hacker a fish and you feed him for a day.
Teach crypto and you feed her for a lifetime.
-
Re: cracklib application?
Thanks, Goldie - I use pwgen:
Password Generator | Get Password Generator at SourceForge.net
I would like to try strings of 6 random characters and see if they're in cracklib - that would give me an idea as to whether our database had actually been hacked (i.e., if there were other random strings in there besides my old password). Trouble is, I can't find an application that will use cracklib to test an arbitrary password. It seems like someone would have written this by now...
Patti
-
Re: cracklib application?
6 is really not enough characters this page has some info regarding lengths and character sets, using just upper and lower is poor.
AusCERT - Choosing good passwords
Look at the 8 letter [A-Z|a-z] and
AusCERT - Choosing good passwords
Looking at 6 that reckon 2 and a half hours to go through them all using alpha and numerical.
Man first, have a try at Info, have a look at Wiki, if all that fails Scroogle!!!!!
If I've helped click on the Rep button I don't know what it does but it sounds cool.
-
Re: cracklib application?
OIC - still, I'm wondering why cracklib reports it's in the dictionary if *all* 6-letter+number strings aren't? (or maybe they are?)
I like their polt of letters+numbers vs time to crack.
-
Re: cracklib application?
You can see the dict but you also have some alogs I think from my brief look it uses a c lib called fascistcheck well my crude understanding googling was letting me down.
If you use cracklib-check it comes back with the why i.e
Code:
# cracklib-check
i
i: it is WAY too short
another1
another1: it is based on a dictionary word
Did it actually say it was in the dict then? You can find the dict, check the files it installs should have one called pw_dict.pwd I threw strings at it but guess one of the other cracklib exes' would be better.
Edit there is also
dict/cracklib-small which I think is or can be created not to sure(Or used to create). In poking I learned a few bits like you can give it a new word list.
Man first, have a try at Info, have a look at Wiki, if all that fails Scroogle!!!!!
If I've helped click on the Rep button I don't know what it does but it sounds cool.
-
Re: cracklib application?
edit 2 perhaps you're seeing this..
Strange how the first one passes though...
Code:
# cracklib-check
th1s0ne
th1s0ne: OK
f0rg0tt3n
f0rg0tt3n: it is based on a dictionary word
ffrgotten
ffrgotten: it is based on a dictionary word
One more change and it passes
Code:
ffrgttten
ffrgttten: OK
Something is definitely looking for dictionary words with misspellings and substitution. I'm thinking fascistcheck but don't know conclusively.
Man first, have a try at Info, have a look at Wiki, if all that fails Scroogle!!!!!
If I've helped click on the Rep button I don't know what it does but it sounds cool.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
| 
