$ echo Iephoo3i | pwqcheck -1 match=0 max=256 min=24,24,11,8,7 Bad passphrase (not enough different characters or classes for this length)
That has three character classes, lower, upper, digits, and so should need N3=8 characters. It is 8 characters long and so should meet the requirements. But it doesn't. It is 8 characters long but not 8 *unique* characters -- o is repeated, there are no repeated chars in ox8iChae. Could that be the reason? Just a wild guess. (I think it is absurd that this password is rejected, BTW.) $ echo Iephoo3i | pwqcheck -1 match=0 max=256 min=24,8,8,8,8 OK Does anyone see why the results are so crazy using pwqcheck? Is this problem causing users grief? It is one of the problems, for sure. Users put together 3 different classes in their 8 chars (already a big pain), it fails, and since the feedback as to why it fails is not specific, they just iterate randomly and find one that works. Very frustrating. I've been frustrated by it myself. Is there a way to get pwqcheck to report more specifically why a pw is bad? Taking a completely different approach... Does anyone have a good method of checking and ensuring password strength? The goal isn't to use pwqcheck but to try to avoid the too-weak password problem. At one site I administered, I had a pwchange script which would try to crack the proposed password for a few seconds. (And for longer overnight.) That caught a lot of things -- the things which crackers would be most likely to find -- without being much of a hassle. (I forget the crack script I used, it was whatever was commonly/publicly available at the time.) Clearly this would not replace the kinds of checks that are being done now, though. Nevertheless, I think our pw requirements are too strong. In the sense that sv makes requirements that no one else does. Furthermore, getting in to some sv user's web account is really not very interesting to crackers -- the worst they could do is screw up the stuff for that user's projects. My experience is that cracks are directed at gaining shell/root access. Anyway ... can you make a proposal for the pwqcheck args to reduce the pain, Bob? I am not sure where we stand. Thanks, karl