On Thursday 04 of April 2013 11:52:09 Martin Sandsmark wrote: > On Thu, Apr 04, 2013 at 01:02:21AM +0200, Luigi Toscano wrote: > > Have you seen this? > > https://fedorahosted.org/libpwquality/ > > https://fedoraproject.org/wiki/Features/PasswordQualityChecking > > It doesn't contain any docs about how it calculates anything that I can > find, which is a bit worrying. From looking at the code it looks very > simplistic.
Some answers from the author (now in CC:): <t8m> The algorithms for checking the password parameters are simple because the definition of the parameters is simple - the code is partially reused from pam_cracklib. The scoring algorithm (which is not too important) is arbitrary and created by adjusting outputs that were calculated by it on a small password dictionary. <tosky> does it mean that the main focus is the checking the password parameters, and that the scoring algorithm can be replaced? Or did I miss all the points? :) <t8m> The algorithm that generates the password is trying to create pronounceable password with defined entropy. <t8m> Yes. <t8m> Yes to the first question actually :) <tosky> so, given the focus of the feature discussed (scoring the password), is it correct that the library is not the proper tool? <t8m> Is the strength meter purpose to be used for system passwords? <t8m> If so the libpwquality should be used because it will honor the system wide settings enforced by the PAM configuration (at least on Fedora it is so) <tosky> the change would be in KNewPasswordDialog, which is part of KDELibs and used in many applications whenever a password is needed <tosky> (or it should be used :) [15:32:44] <t8m> ok, then using libpwquality might be slightly more complicated as the applications should be able to set their own preferences for minimum password parameters <tosky> I see <tosky> can I copy & paste this entire conversation? <t8m> (which is of course possible with libpwquality, but I suppose the KNewPasswordDialog API doesn't allow this) <t8m> sure Ciao -- Luigi
