password complexity

moinpasha · 09-12-2006, 02:05 AM

hi.can password complexity be implemented programmatically as an application.can u help me with some source code?thanks

unSpawn · 09-12-2006, 03:58 AM

Hello there and welcome to LQ. Hope you like it here.

Could have a look at the source of Openwall's pam_passwdqc (yes, that's *two* terms to search with) (with emphasis on search). BTW, taxonomically this is not a question about security but programming. I'll move this thread to the programming forum.

fotoguy · 09-12-2006, 04:45 AM

Hi and welcome,

Not quite sure if this is what your after. Are you after something to generate a complex password? something like this.

Code:

head -c 15 /dev/random | uuencode -m - | head -2 | tail -1

Wim Sturkenboom · 09-12-2006, 05:34 AM

Please define what complexity you want?

The code snippet below is what I use (in combination with a length check) to verify if a user has specified/generated a strong password.

Code:

        if(!(ereg("[A-Z]",$data['password']) &&
             ereg("[a-z]",$data['password']) &&
             ereg("[0-9]",$data['password']) &&
             ereg("[^A-Za-z0-9]",$data['password'])))
        {
            $msg="<P class=\"db_error\">Weak password</P>";
            return -1;
        }

moinpasha · 09-12-2006, 06:29 AM

thank u sir.but how can this be used along with a length check?initially i was told to set minlen= in /etc/pam.d to whichever value to set password length.is there any other way.also in the code given above what is 'password'?

Wim Sturkenboom · 09-12-2006, 10:10 PM

Your initial question was not quite complete and clear, I guess. I thought that you needed a program that could check password complexity. The given code snippet does that. It's php code that I use in a web application and verifies if the given password (read from a html field) contains at least one uppercase character, one lowercase character, one digit and one other character before it will be stored in a database.

I don't know about pam, others can maybe help there.

moinpasha · 09-13-2006, 12:42 AM

thank u sir.yes,i wanted to check for the same conditions.but the code u have give i don't understand.can u give me a C program which describes the same?thank u

Matir · 09-13-2006, 12:57 AM

This (not so nice) c code should do the trick:

Code:

int checkpw(char *pw){
    // Input: null-terminated password string
    // Output: 0 for good password, non-zero for bad
    // Does NOT check length
    // Requires 1+ upper, 1+ lower, 1+ numeric

    int lc=0,uc=0,num=0;

    while(*pw){
        if( *pw => 'A' && *pw <= 'Z' )
            uc=1;
        else if( *pw >= 'a' && *pw <= 'z' )
            lc=1;
        else if( *pw >= '0' && *pw <= '9' )
            num=1;
        pw++;
    }

    return 3-(uc+lc+num);
}

Wim Sturkenboom · 09-13-2006, 07:09 AM

OK, so it must be C. Have a look at Matir's code. Just add a check for characters that are outside A..Z, a..z, 0..9 to make it identical to my php example.

Matir · 09-13-2006, 09:49 AM

Adding the check for other characters would be fairly simple:

Code:

int checkpw(char *pw){
    // Input: null-terminated password string
    // Output: 0 for good password, non-zero for bad
    // Does NOT check length
    // Requires 1+ upper, 1+ lower, 1+ numeric

    int lc=0,uc=0,num=0,non=0;

    while(*pw){
        if( *pw => 'A' && *pw <= 'Z' )
            uc=1;
        else if( *pw >= 'a' && *pw <= 'z' )
            lc=1;
        else if( *pw >= '0' && *pw <= '9' )
            num=1;
        else
            non=1;
        pw++;
    }

    return 4-(uc+lc+num+non);
}

Wim Sturkenboom · 09-13-2006, 10:28 PM

Quote:

Originally Posted by Matir

Adding the check for other characters would be fairly simple:

I know, but nobody ever died of doing some thinking himself.

Matir · 09-13-2006, 10:53 PM

Eh true. I'd definitely not require that, but it depends on the level of complexity you want to enforce.