Randy McMurchy wrote:
Alexander E. Patrakov wrote these words on 08/08/05 00:17 CST:
Maybe this wording:
The wordlist used with Cracklib should contain combinations of
keystrokes that are typically chosen by the users as bad (guessable)
passwords. Otherwise, Cracklib would encourage users to choose passwords
that are not in the list, but still bad, i.e. provide little or no
additional security.
I'm not sure we want to use this. I simply don't understand what
this means. I know what it is *supposed* to mean, but the way it
is written doesn't allow me to comprehend how to avoid the problem.
Sorry for the non-constructive wording. Let's try this:
=============================
Users tend to base their passwords on regular words of the spoken
language, and crackers know that. Cracklib is intended to filter out
such bad passwords at source with the help of its own wordlist. To
accomplish that, the wordlist for use with Cracklib must be an
exhaustive list of words and word-based keystroke combinations likely to
be chosen by users of the system as (guessable) passwords.
=============================
If that's still bad, let's start with your version of the above and
correct it if it doesn't catch the intended meaning. What I don't like
in my own words is that the following fact is not stressed enough:
wordlists suitable for spell-checking are not usable as Cracklib
wordlists in countries with non-Latin based alphabets, because of
"word-based keystroke combinations" that make bad passwords.
--
Alexander E. Patrakov
--
http://linuxfromscratch.org/mailman/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
