|
|
acceptable_password(3)
Contents
|
acceptable_password - Determines if a password meets
deduction requirements (Enhanced Security)
int acceptable_password(
char *word,
FILE *stream );
Enhanced Security Library (libsecurity)
Points to the suggested password. Points to the stream to
write diagnostics into.
The acceptable_password() function determines if the given
password is difficult to deduce from well known, passwordguessing
heuristics. The cleartext (plaintext) password is
passed as the first argument, and the file pointer of the
stream that is used to report failure reasons is the second
argument. If this checking is to be silent, the second
argument should be a null file pointer.
When the acceptable_password() function returns a value of
1, the password provided meets all the tests listed in the
following text. When it returns a value of 0 (zero), the
password failed to meet at least one of the tests.
The selectivity criteria for the password include but cannot
be limited to the following four tests: This test
passes if the word is not a palindrome. (A palindrome is a
word that is spelled the same backwards as it is forwards.)
Examples of palindromes that fail this test are
mom, dad, noon, redivider, radar. Palindromes do not make
good passwords because they reduce an n character password
to n/2 + 1 characters. A penetrator knowing that palindromes
were legal could use heuristics that could deduce
the password much more quickly than if they were excluded.
This test passes if the password is not a derivative of a
login name for the system. Many insecure systems allow
passwords to be the login name itself. This is a fact
known by many penetrators. All login names are excluded
because a user that is the owner of several pseudouser
accounts can elect to use the login name of one account as
the password for all accounts. Similar to the login name
issue, this test passes if the password is not a group
name derivative. This test passes if the spell program
determines that the password is not an English word. A
penetrator then could not search the online dictionary to
find the password. The spell program also has some builtin
rules that go beyond the actual online dictionary in
determining what is a proper word, and this routine takes
advantage of that.
Programs that use this routine must be compiled with -lsecurity.
System password file. System group file.
Commands: spell(1)
Functions: getpwent(3), getgrent(3)
acceptable_password(3)
[ Back ] | 