Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: cracklib application?

  1. #1
    Join Date
    Jun 2008
    Location
    Prescott, AZ
    Posts
    1,176

    Exclamation cracklib application?

    I was installing 11.1 and it tests passwords with cracklib - this is a great idea... Our company was shut down by a runaway virus a couple of times in the last decade. It turns out my Lotus Notes password is in cracklib!! So those viruses (or whatever) must have accessed our Lotus Notes records.

    The only way I found this out was that, on a whim, I tried my Lotus Notes password during an install of 11.1. Now, I'm looking for an application that interfaces to cracklib to test passwords, and I've found password generators, etc., but none with a built-in cracklib interface. Does anyone know of an application that can do this? I'd like to test my passwords, but dont' want to have to run the installer every time I need to check a password!

    THANKS!!!
    Patti

  2. #2
    Join Date
    Jun 2008
    Location
    Prescott, AZ
    Posts
    1,176

    Default Re: cracklib application?

    OK - my bad - I guess YaST checks these, so I guess I could just use YaST to change a password and it will be tested against cracklib.

    It reports that my LN password is "based on a dictionary word" - what does that mean?

  3. #3
    Join Date
    Jan 2008
    Location
    U.K East Anglia
    Posts
    2,581

    Default Re: cracklib application?

    it means one or more parts of your password contains a word that can be found in a dictionary,or can create a word that is in a dictionary

    Andy
    To be is to do = Immanuel Kant
    To do is to be = Descartes.
    Do be do be do = Frank Sinatra

    SuSE user since 7.0,Linux user since 1994

  4. #4
    Join Date
    Jun 2008
    Location
    Prescott, AZ
    Posts
    1,176

    Default Re: cracklib application?

    Thanks, Andy!! That seemed like what it might mean, but the password is 6 random letters uppercase and lowercase. Do password hackers do all combinations of words in a dictionary? Do you know if there's a way to get more information about how this part is actually *in* cracklib?

  5. #5
    goldie NNTP User

    Default Re: cracklib application?

    PattiMichelle wrote:
    > Thanks, Andy!! That seemed like what it might mean, but the password is
    > 6 random letters uppercase and lowercase. Do password hackers do all
    > combinations of words in a dictionary? Do you know if there's a way to
    > get more information about how this part is actually *in* cracklib?


    there is a good reason why most folks recommend longer than six
    letters AND at least one number and punctuation mark/symbol

    doing so decreases the likelihood the six characters being included in
    a crackers dictionary attack..

    https://www.grc.com/passwords.htm is a pretty good place to get a new
    'random' password.....while there, read the section "When does size
    matter?"

    --
    goldie
    Give a hacker a fish and you feed him for a day.
    Teach crypto and you feed her for a lifetime.

  6. #6
    Join Date
    Jun 2008
    Location
    Prescott, AZ
    Posts
    1,176

    Default Re: cracklib application?

    Thanks, Goldie - I use pwgen:
    Password Generator | Get Password Generator at SourceForge.net

    I would like to try strings of 6 random characters and see if they're in cracklib - that would give me an idea as to whether our database had actually been hacked (i.e., if there were other random strings in there besides my old password). Trouble is, I can't find an application that will use cracklib to test an arbitrary password. It seems like someone would have written this by now...

    Patti

  7. #7

    Default Re: cracklib application?

    6 is really not enough characters this page has some info regarding lengths and character sets, using just upper and lower is poor.

    AusCERT - Choosing good passwords

    Look at the 8 letter [A-Z|a-z] and

    AusCERT - Choosing good passwords

    Looking at 6 that reckon 2 and a half hours to go through them all using alpha and numerical.
    Man first, have a try at Info, have a look at Wiki, if all that fails Scroogle!!!!!
    If I've helped click on the Rep button I don't know what it does but it sounds cool.

  8. #8
    Join Date
    Jun 2008
    Location
    Prescott, AZ
    Posts
    1,176

    Default Re: cracklib application?

    OIC - still, I'm wondering why cracklib reports it's in the dictionary if *all* 6-letter+number strings aren't? (or maybe they are?)

    I like their polt of letters+numbers vs time to crack.

  9. #9

    Default Re: cracklib application?

    You can see the dict but you also have some alogs I think from my brief look it uses a c lib called fascistcheck well my crude understanding googling was letting me down.

    If you use cracklib-check it comes back with the why i.e
    Code:
    # cracklib-check
    i
    i: it is WAY too short
    another1
    another1: it is based on a dictionary word
    Did it actually say it was in the dict then? You can find the dict, check the files it installs should have one called pw_dict.pwd I threw strings at it but guess one of the other cracklib exes' would be better.

    Edit there is also
    dict/cracklib-small which I think is or can be created not to sure(Or used to create). In poking I learned a few bits like you can give it a new word list.
    Man first, have a try at Info, have a look at Wiki, if all that fails Scroogle!!!!!
    If I've helped click on the Rep button I don't know what it does but it sounds cool.

  10. #10

    Default Re: cracklib application?

    edit 2 perhaps you're seeing this..

    Strange how the first one passes though...
    Code:
    # cracklib-check
    th1s0ne
    th1s0ne: OK
    f0rg0tt3n
    f0rg0tt3n: it is based on a dictionary word
    ffrgotten
    ffrgotten: it is based on a dictionary word
    One more change and it passes
    Code:
    ffrgttten
    ffrgttten: OK
    Something is definitely looking for dictionary words with misspellings and substitution. I'm thinking fascistcheck but don't know conclusively.
    Man first, have a try at Info, have a look at Wiki, if all that fails Scroogle!!!!!
    If I've helped click on the Rep button I don't know what it does but it sounds cool.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •