I was installing 11.1 and it tests passwords with cracklib - this is a great idea… Our company was shut down by a runaway virus a couple of times in the last decade. It turns out my Lotus Notes password is in cracklib!! So those viruses (or whatever) must have accessed our Lotus Notes records.
The only way I found this out was that, on a whim, I tried my Lotus Notes password during an install of 11.1. Now, I’m looking for an application that interfaces to cracklib to test passwords, and I’ve found password generators, etc., but none with a built-in cracklib interface. Does anyone know of an application that can do this? I’d like to test my passwords, but dont’ want to have to run the installer every time I need to check a password!
Thanks, Andy!! That seemed like what it might mean, but the password is 6 random letters uppercase and lowercase. Do password hackers do all combinations of words in a dictionary? Do you know if there’s a way to get more information about how this part is actually in cracklib?
PattiMichelle wrote:
> Thanks, Andy!! That seemed like what it might mean, but the password is
> 6 random letters uppercase and lowercase. Do password hackers do all
> combinations of words in a dictionary? Do you know if there’s a way to
> get more information about how this part is actually in cracklib?
there is a good reason why most folks recommend longer than six
letters AND at least one number and punctuation mark/symbol
doing so decreases the likelihood the six characters being included in
a crackers dictionary attack…
https://www.grc.com/passwords.htm is a pretty good place to get a new
‘random’ password…while there, read the section “When does size
matter?”
–
goldie
Give a hacker a fish and you feed him for a day.
Teach crypto and you feed her for a lifetime.
I would like to try strings of 6 random characters and see if they’re in cracklib - that would give me an idea as to whether our database had actually been hacked (i.e., if there were other random strings in there besides my old password). Trouble is, I can’t find an application that will use cracklib to test an arbitrary password. It seems like someone would have written this by now…
You can see the dict but you also have some alogs I think from my brief look it uses a c lib called fascistcheck well my crude understanding googling was letting me down.
If you use cracklib-check it comes back with the why i.e
# cracklib-check
i
i: it is WAY too short
another1
another1: it is based on a dictionary word
Did it actually say it was in the dict then? You can find the dict, check the files it installs should have one called pw_dict.pwd I threw strings at it but guess one of the other cracklib exes’ would be better.
Edit there is also
dict/cracklib-small which I think is or can be created not to sure(Or used to create). In poking I learned a few bits like you can give it a new word list.
I cannot imagine it was there all along and I didn’t know it. The docs said it was a C code library piece, so I didn’t go any further - but apparently it’s also a stand-alone executable!
OK - by my testing it seems that if a little less than half the letters add up to an english “word” (caps or not) it returns “based on a dictionary word,” hence there is no evidence our Lotus Notes database was “cracked.” My bad!! This is what I sought to discern. Thanks for your help!!!
Patti
EDIT: And it’s not bullet proof: (note the last one)
feeter: it does not contain enough DIFFERENT characters
feet45
feet45: it is based on a dictionary word
feet345
feet345: it is based on a dictionary word
feet2345
feet2345: OK
feetfeetfeet
feetfeetfeet: it does not contain enough DIFFERENT characters
feetfootfire
feetfootfire: OK
Well the handy thing is you can change the word list for example now I only took one word and added it to the other words and reversed them.
for i in $(echo zoos); do for w in $(cat /usr/share/cracklib/cracklib-small); do echo $i$w;echo $w$i; done; done
But… this becoming a huge dictionary what the implications are go beyond me, I’m surprised this isn’t part of cracklibs core functions(It may well be but I never found it).
As to how big well very big, One word added and reversed to the basic dict got me
wc -w dmp.txt
105696 dmp.txt
Then add the single words. 52848 so already up to 150,000. I didn’t really fancy doing it for real and only tested one word you would actually need to create a huge one where I reversed $i$w you would need
$l$m$r, $m$l$r, $m$r$l, $r$m$l, $l$r$m, $r$l$m + $i$w, $w$i you would just need to nest the fors’ more. Guessing and not checked as that sounds like a huge dictionary.
for..
do
for ..
do
for ..
do
echo ..
done
done
done
As for how many words that wordlist would have I wouldn’t even like to guess…
But were you to do this then feetfootfire, or any of the other variants like firefootfeet etc should match
Edit
Also by the way if the app is pam aware then you should have access to pam_cracklib which can be further configured to enforce or weight characters.
>
>edit 2 perhaps you’re seeing this…
>
>Strange how the first one passes though…
>
>Code:
>--------------------
> # cracklib-check
> th1s0ne
> th1s0ne: OK
> f0rg0tt3n
> f0rg0tt3n: it is based on a dictionary word
> ffrgotten
> ffrgotten: it is based on a dictionary word
>--------------------
>
>
>Something is definitely looking for dictionary words and misspellings
>and substitution. I’m thinking fascistcheck but don’t know conclusively.
My guess is that it includes short words from most common languages,
including French, German, Portuguese, Russian, Spanish etc.