> On Mon, 3 Jun 1996, Brett L. Hawn wrote: > > You can lead a user to a good password but you can only make them use it for > > so long. > What about a fascist passwd program which refers to a dictionary and > rejects "easy" passwords? Does such an animal exist? There are about a dozen of such animals. In fact, there is one in 'Programming Perl' as example code. Npasswd and passwd+ both do this if I recall correctly. > > Not to mention anyone with the time and desire can create a fairly > > nifty 'dictfile' like I did a few years back. All it takes is some simple > > brain power and a LOT of disk space, a quick file that prints all variations > > of 5-8 charater length combinations to a file. I stopped mine at 238megs and > > it was still going strong. > > I think this one comes under the heading of "brute force attack" - just > with alphanumerics (a-z,A-Z,0-9) you're looking at needing 62^8 entries > for a complete set of 8 character passwords. It's probably faster to try > and decrypt the passwd file entry directly. But maybe you have missed the point. If all you need to do is crack ANY account on a system, then a dictionary of about 20,000 words and about 100 rules is enough.[1] You can do this on a PeeCee in a couple of hours. There IS a point of diminishing returns when we constrain the passwords of users, but allowing them to use ANY silly password that crosses their mind is something that ought to be illegal. [1] On systems with no passwd rules for users, I usually get one crack on /usr/dict/words, with no permutations applied.