Re: Password checking

["Paul Pomes, UofIllinois" <paul@uxc.cso.uiuc.edu>]

It's far better to prevent weak passwords in the first place.  I have a
fairly useful password cracker (pwc.c) program that's run as needed
on workstations, however it uses a lot of resources when given the
dictionary as a key source.  Many of the same checks put into pwc.c
are far more effective when used in passwd.c to disallow the choice
of a poor password.

Over time I've gathered some interesting numbers about password habits.
Given a password file from a departmental machine with about 300 accounts,
3-5% of the accounts can be cracked within 20 minutes just by checking
for the login name repeated as the password, spelled backwards, doubled
(for short names), and also all tokens in the GECOS field.  Each check
is tried four ways: as is, all lower case, all upper case, leading capital.
Another 12% can be obtained by throwing in /usr/dict/words.  The latter
requires the use of Baldwin's fast DES code.

The new version of passwd.c is being beta-tested in house and will be
submitted to both Berkeley and the cert-tools list once it has been torture
tested by the undergrads.  If there's sufficient interest, I'll make
both the pwc.c and passwd.c programs available for anon-FTP at that
time.

/pbp