krb5-strength 3.0

krb5-strength is the password strength checking code that we use at Stanford for our primary Kerberos realm.

We've had quite a lot of difficulty deciding exactly what password strength checking we want to do and how we want to handle password history. The good part is that this is to the advantage of everyone else, since now more flexible password strength checking code is available.

The major change in this release is the addition of a password history implementation for Heimdal. Implemented as an external password quality check program, it can stack with other password quality check programs, such as the one included in this distribution. Previous passwords are hashed with PBKDF2 with SHA-2. Note that this has somewhat extensive Perl module dependencies, since it was originally written as a separate project.

Also in this release is yet another password dictionary type: SQLite. This is probably a bit slower than straight lookups in CDB, and it's definitely less space-efficient since it stores each word both forward and reversed, but it can reject any password that is within edit distance one of a dictionary word. (Edit distance one means that the word can be formed from the password by adding, removing, or changing a single character.)

The cdbmake-wordlist utility has been renamed to krb5-strength-wordlist and can now generate the SQLite dictionary as well as the CDB dictionary.

Finally, another configuration option has been added: minimum_different. If set, passwords must contain at least this many different characters. This can be used to reject passwords that are long strings of the same character or short repeating patterns, which are otherwise difficult to detect with a straight dictionary-driven approach.

You can get the latest release from the krb5-strength distribution page.

Posted: 2014-03-26 01:01 — Why no comments?

Last modified and spun 2014-03-26