Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 158191

Summary: passwd checking module returns bad passwd inappropriately.
Product: [Fedora] Fedora Reporter: akonstam
Component: passwdAssignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact: Mike McLean <mikem>
Severity: medium Docs Contact:
Priority: medium    
Version: 4   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-05-19 14:52:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description akonstam 2005-05-19 14:27:40 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.3) Gecko/20041005

Description of problem:
When entering a passwd to the passwd program the brogram returns message:
BAD PASSWORD: it is based on a dictionary word
For example , with the passwd: kgf08p
that message is returned. This passwd has all consinents and 2 numbers. What word could it be based on. This has happened to me on other passwds unrelated to words.
lkd45j
returns: Bad passwd: is too simple.
fgk08p 
returns: Bad passwd: based on a (reversed) dictionary word.

It is frustrating.

What rules are being used. They seem screwey.

Version-Release number of selected component (if applicable):
passwd-0.69-2

How reproducible:
Always

Steps to Reproduce:
1.passwd
2.Current unix passwd:
3.New passwd: fgk08p
  

Actual Results:  Bad passwd: based on a (reversed) dictionary word.

Expected Results:  Passwd would be accepted and a request to enter it again

Additional info:

Comment 1 Tomas Mraz 2005-05-19 14:52:02 UTC
The "too simple" is configurable by setting appropriate options to pam_cracklib
in the /etc/pam.d/system auth.
The dictionary check is done by the cracklib library.

Generally it can be said that 6 letters passwords are too short.


Comment 2 akonstam 2005-05-19 16:28:19 UTC
I am not so concerned with 6 character passwd  being too short. My real concern
is the clain that it is based on a dictionary word. This is not just one passwd
but every passwd I have tried. Now the passwd fgk08p is not based on any word I
know so something is wrong with the argorithim. And it is very anoying if I am
trying to explain to a 1000 students how to make an acceptable passwd.

Comment 3 Tomas Mraz 2005-05-19 16:43:15 UTC
The dictionary check does character substitutions and so on so for the password
to pass it has to be different in more than x characters than any word in the
dictionary. The actual x value is in the cracklib sources and if it's for
example 4 than basically no 6 letters password can pass the check.

Feel free reopen the bug and reassign it to cracklib however I don't think the
algorithm or the x value will be changed.