Re: pam_passwdqc wordlist .vs. cracklib word list

On Fri, Jun 07, 2002 at 05:30:51PM +1000, John Warburton wrote:
> I have been looking at PAM modules to ensure good passwords. Currently we
> use cracklib with PAM & a huge dictionary.
> 
> I have looked around & seen Solar Designer's pam_passwdqc as a drop in
> replacement. I have seen comments on the list saying that it will replace
> cracklib.
> 
> My question is that cracklib has a huge dictionary & I can add to it. But,
> pam_passwdqc has a small dictionary in wordset_4k.c (it doesn't even have
> the word "snoopy"  I don't feel as safe with pam_passwdqc as it has a
> small dictionary, yet Solar Designer really has it in for libcrack, and I
> respect Solar Designer's opinion. The function is_word_based() in
> passwdqc_check.c states that the dictionary check is not very important -
> how true is that?
> 
> Can anyone shed any light on my quandary?

I'm not sure you wanted to hear my opinion again, but I may try to
explain why I think the wordlist check in pam_passwdqc is of little
importance.  The "small dictionary" you're referring to is in fact
primarily used for generating random passphrases (one of the features
of pam_passwdqc) and, yes, is also used for a wordlist check.  Just
because it's there anyway.

Basically, if you allow short passwords (and not just passphrases),
you have to insist that a sufficient number of different characters
from several different character classes are used.  That is regardless
of whether the password is based on a dictionary word or not.  Even if
it is not word-based, it shouldn't fall into a common sub-keyspace