Using cracklib

From Studiosg
Jump to: navigation, search

Welcome to Simone Giustetti's wiki pages.


Languages: English - Italiano


Introduction

Credentials are the more widespread authentication system in the IT field nowadays. They consist of a pairing of a user name (login) and a secret password. Newer technologies promise to perform better identity checks for individuals and their privileges, but the login / password pair is still an easy and cheap solution to perform those checks. In view of the poor performances provided by the competition and of the resulting scarce adoption of alternative solutions, no change of scenario seem feasible in the foreseeable future. Credentials Achilles heel resides in weak passwords, easy to guess and consequently unsafe. The cracklib library is a tool meant to check password strength against a family of attacks known as "dictionary attacks" and to increase the security level of a Linux / UNIX system.

A strong password is fundamental for the security of your host, network and all of the connected devices. Ideally a password should be known only to the user, verifiable by a system when connecting and finally impossible to guess for any user other than the owner. In real life it is very difficult to achieve all of the listed features. Users are required to remember and manage many passwords daily and as a consequence they tend to choose weak ones making life a lot easier for attackers trying to access a system or a resource they are not allowed to. Weak passwords pose today the main security treat to computers, cell phones, networks, tables and so on.

In this paper I'll introduce the cracklib library and describe its use and the tools it makes available to system administrators to discard a priori passwords that are too weak and a treat for both users and services.

Dictionary Attacks

Statistics tell us that most passwords consist of two parts a root, usually a real word taken from a dictionary, and an appendix: a prefix or more often a suffix. From the point of view of an attacker that is a considerable advantage because it allows to search for a password using words taken from a dictionary. An attack recurring to a dictionary as a source of information works efficiently because instead of trying all the potential combinations of characters, as is the case in a "brute force" attack, the search is limited to the most likely combinations. Consider 8 characters long passwords, for example, many of the potential combinations existing between "aaaaaaaa" and "zzzzzzzz" have no real meaning and are therefore unlikely. An attack based on a dictionary, namely on common words and their eventual mixing with numbers and symbols, allows to guess a password with but a fraction of attempts and time required to test all the theoretically possible strings.

Cracklib to Check Password Strength

Dictionary based attacks represent a huge risk for authentication systems used in local hosts, remote ones, network devices or Internet web pages. A check of the strength of a password before its use is a good security practice. It is not a foolproof solution preventing any intrusion, but it represents a powerful tool against attackers. A check against a password dictionary can be performed quickly and easily using both local tools or resources available via Internet and prevents the use of predictable passwords.

A lot of tools are freely available and ready to test password strength. Some of them can be accessed trough a computer network while other require local installing to work. A tool developed to test passwords on a local Linux / UNIX system is cracklib: a small library of functions that comes with its own multi-language dictionary and test program, that is able to quickly perform a check for password eligibility and filter guessable and potentially harmful ones out, at source. Cracklib performs 3 kind of checks for a tentative password:

  • It tries to generate passwords containing the user name and related personal data available on the computer.
  • Given a word it checks for its presence in the dictionary.
  • Given a word it performs some simple substitutions and transformations.

At the end of the analysis it provides a positive response or a justification that the password should be discarded.

Installing Cracklib

Slackware Linux does not officially include a cracklib package and the library must be compiled and installed from its source code. The SlackBuilds.org project provides working build scripts, which can be downloaded form the following URL. Below you'll find the steps required to install cracklib from source:

  • Select a recent version of the library compatible with Slackware Linux. Usually the latest released version.
  • Download the archive file cracklib.tar.gz into a local directory such as /tmp or /usr/src/cracklib.
  • Decompress the archive file using the tar command then move to the newly created directory:
  user@system:/tmp# tar -zxf cracklib.tar.gz
  user@system:/tmp# cd cracklib
  user@system:/tmp/cracklib# ls -la
  total 24
  drwxr-xr-x 2 1016 users 4096 Jan  9  2017 .
  drwxr-xr-x 3 root root  4096 Aug  1 15:00 ..
  -rw-r--r-- 1 1016 users  520 Nov 26  2013 README
  -rwxr-xr-x 1 1016 users 3576 Jan  9  2017 cracklib.SlackBuild
  -rw-r--r-- 1 1016 users  485 Jul  2  2016 cracklib.info
  -rw-r--r-- 1 1016 users  928 Nov 26  2013 slack-desc
  • Download the archive file containing the source code and a second one for the password database into the directory where the build script cracklib.SlackBuild is located. The source URLs are available in the cracklib page of the www.slackbuilds.org web site. The command sequence for Slackware 14.2 is:
  user@system:/tmp/cracklib# wget https://github.com/cracklib/cracklib/releases/download/cracklib-2.9.6/cracklib-2.9.6.tar.gz
  --2018-08-01 15:04:37--  https://github.com/cracklib/cracklib/releases/download/cracklib-2.9.6/cracklib-2.9.6.tar.gz
  Resolving github.com... 192.30.253.112, 192.30.253.113
  Connecting to github.com|192.30.253.112|:443... connected.
  HTTP request sent, awaiting response... 302 Found
  Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/40944821/f44b9bfc-45af- ... -stream [following]
  --2018-08-01 15:04:38--  https://github-production-release-asset-2e65be.s3.amazonaws.com/40944821/f44b9bfc-45af- ... octet-stream
  Resolving github-production-release-asset-2e65be.s3.amazonaws.com... 52.216.226.168
  Connecting to github-production-release-asset-2e65be.s3.amazonaws.com|52.216.226.168|:443... connected.
  HTTP request sent, awaiting response... 200 OK
  Length: 642402 (627K) [application/octet-stream]
  Saving to: 'cracklib-2.9.6.tar.gz'
  
  cracklib-2.9.6.tar.gz            100%[=======================================================>] 627.35K   550KB/s    in 1.1s    
  
  2018-08-01 15:04:39 (550 KB/s) - 'cracklib-2.9.6.tar.gz' saved [642402/642402]
  
  user@system:/tmp/cracklib# wget https://github.com/cracklib/cracklib/releases/download/cracklib-2.9.6/cracklib-words-2.9.6.gz
  --2018-08-01 15:05:06--  https://github.com/cracklib/cracklib/releases/download/cracklib-2.9.6/cracklib-words-2.9.6.gz
  Resolving github.com... 192.30.253.113, 192.30.253.112
  Connecting to github.com|192.30.253.113|:443... connected.
  HTTP request sent, awaiting response... 302 Found
  Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/40944821/281a79b8-45af- ... -stream [following]
  --2018-08-01 15:05:06--  https://github-production-release-asset-2e65be.s3.amazonaws.com/40944821/281a79b8-45af- ... octet-stream
  Resolving github-production-release-asset-2e65be.s3.amazonaws.com... 54.231.82.18
  Connecting to github-production-release-asset-2e65be.s3.amazonaws.com|54.231.82.18|:443... connected.
  HTTP request sent, awaiting response... 200 OK
  Length: 5536645 (5.3M) [application/octet-stream]
  Saving to: 'cracklib-words-2.9.6.gz'
  
  cracklib-words-2.9.6.gz          100%[=======================================================>]   5.28M   824KB/s    in 6.9s    
  
  2018-08-01 15:05:14 (785 KB/s) - 'cracklib-words-2.9.6.gz' saved [5536645/5536645]

Release numbers could change for different versions of Slackware Linux.

  • Switch to the root account using the su - command and providing the administrator password.
  • Run the build script:
  root@system:~# cd /tmp/cracklib
  root@system:/tmp/cracklib# sh ./cracklib.SlackBuild
  ...
  Slackware package /tmp/cracklib-2.9.6-x86_64-2_SBo.tgz created.
  • Once the build script exits successfully install the resulting package with command installpkg. Newly created packages are usually saved into the /tmp directory:
  root@system:/tmp/cracklib# installpkg /tmp/cracklib-2.9.6-x86_64-2_SBo.tgz
  Verifying package cracklib-2.9.6-x86_64-2_SBo.tgz.
  Installing package cracklib-2.9.6-x86_64-2_SBo.tgz:
  PACKAGE DESCRIPTION:
  # cracklib (password crack library)
  #
  # CrackLib is a library containing a C function (well, lots of functions
  # really, but you only need to use one of them) which may be used in a
  # "passwd"-like program.
  #
  # The idea is simple: try to prevent users from choosing passwords that
  # could be guessed by "Crack" by filtering them out, at source.
  #
  Executing install script for cracklib-2.9.6-x86_64-2_SBo.tgz.
  Package cracklib-2.9.6-x86_64-2_SBo.tgz installed.

When the package is successfully installed the strength of any password can be immediately tested using command cracklib-check which, when run with no option, works in interactive way:

  root@system:/tmp/cracklib# cracklib-check
  ddd
  ddd: it is WAY too short
  devil
  devil: it is too short
  devil123
  devil123: it is based on a dictionary word

Press the CTRL + C keys combo on the keyboard to close a running session.


Cracklib - Examples of Use

Cracklib can work in both interactive mode, as in the example above, and non interactive mode when combined with other Linux / UNIX commands. In non interactive mode cracklib can perform checks on many passwords in a single run. Below you'll find an example combining the cracklib-check and echo commands:

  user@system:~# echo 'password' | /usr/sbin/cracklib-check
  password: it is based on a dictionary word
  user@system:~# echo 'password1' | /usr/sbin/cracklib-check
  password1: it is based on a dictionary word
  user@system:~# echo 'pass' | /usr/sbin/cracklib-check
  pass: it is too short
  user@system:~# echo 'password1!' | /usr/sbin/cracklib-check
  password1!: it is based on a dictionary word

Standard users should use the full path to the command because it is located into the /usr/sbin system directory. It is after all an administration tool designed for root users.

Likewise the contents of a file can be supplied to the control program and it will verify the strength of each password in it:

  root@system:~# cat pwd.txt | cracklib-check
  asdrty: OK
  avoneg: it is based on a dictionary word
  drowssap1: it is based on a (reversed) dictionary word
  drowssap1!: it is based on a (reversed) dictionary word
  drowssap12?: it is based on a (reversed) dictionary word
  genova: it is based on a dictionary word
  italia: it does not contain enough DIFFERENT characters
  italia123: OK
  marco: it is too short
  password: it is based on a dictionary word
  password2?: it is based on a dictionary word
  pwd12345: it is too simplistic/systematic
  qazwsxedc: it is based on a dictionary word
  qweasd: it is based on a dictionary word
  qweasdzxc: it is based on a dictionary word
  qwerty: it is based on a dictionary word
  qwerty1: it is based on a dictionary word
  qwerty123: it is based on a dictionary word
  qwerty123!: it is based on a dictionary word
  root: it is too short
  simone: it is based on a dictionary word

The previous example used a pwd.txt text file containing a single password per row. The file was read with the cat command and the output redirected to the cracklib-check command trough a "|" (Pipe). Every password was checked and the outcome printed to screen after the very same password.

Shortcomings of the Cracklib Library

The last example of the previous paragraph provides enough material to draw some conclusions about cracklib and its standard dictionary, the one provided with the library. Passwords shorter than 8 characters, passwords found in the dictionary and their simple transformations such as inverting characters, concatenating digits or symbols were all accurately spotted and classified as insecure. Key sequences and their combinations were accurately identified and reported. The only "problematic" strings are "asdrty" and "italia123" which, in spite of being a very short and only apparently random key sequence and a trivially transformed dictionary word, were classified "strong" by the tool.

The control performed by cracklib is useful, but far from perfect. The tool effectiveness could be improved by configuring a different dictionary, but this raises a new problem: where to find a dictionary source. Ultimately it is advisable to use cracklib to perform password strength checks, but do not consider it infallible and always let common sense prevail.

Cracklib and Customized Dictionaries

The outcome of cracklib-check executed checks is highly influenced by the quality of the installed dictionary and the total count of included words. The standard dictionary shipped with the library includes more or less 60.000 English words. Not enough for people or organizations speaking a different language or multinationals. Cracklib developers provide a second extended dictionary that can be downloaded from the project web site repository. The extended dictionary includes more than 2.000.000 common words from many languages. It is a really good improvement and you are highly encouraged to always install the extended dictionary. Another additional improvement consist of the configuration of custom dictionaries including terms specific to the organization and its field of operation. For a law firm, for example, it makes a lot of sense to include words and terms taken from legal literature and missing from a standard dictionary. The same rule applies to brokers, traders, a medical devices factory, a financial company and so on. Users will stick to familiar terms when choosing a password.

The cracklib library provides a tool to create custom dictionaries: the create-cracklib-dict utility. The tool reads files containing words and outputs a dictionary compressed and formatted accordingly to library standards. A copy of every new dictionary is saved in a predefined directory: /usr/share/cracklib/. Files read by create-cracklib-dict should include a single word in every line. You can copy an existing dictionary and customize it adding words. Another way to create a word list consist of searching the Internet for pages like: https://en.oxforddictionaries.com/explore/word-lists. When source files are ready place them all in a directory, usually /usr/share/dict, for ease of use then run command:

  root@system # create-cracklib-dict /usr/share/dict/*

The command requires root privileges to run and access to some system directories and produce the following list of files:

  /usr/share/cracklib/pw_dict.hwm
  /usr/share/cracklib/pw_dict.pwd
  /usr/share/cracklib/pw_dict.pwi

Saving files in a directory other than the default one requires using explicitly commands cracklib-format and cracklib-packer that are usually called by create-cracklib-dict.

For more information about cracklib, its use and internals please refer to the documentation of the library and of the installed distribution, which often provides custom configuration tools and scripts.

Cracklib Alternatives Freely Available on the Internet

Cracklib is developed to run locally on a machine. Searching the Internet you'll find web sites providing the same functionality. Web sites like:

And many more will pop up when using a search engine. All of the listed pages share a common interface: a textbox where to insert the password, an option to hide or show the inserted password, some graphic widget providing a quick feedback for the password string and a list of hints to increase password strength.

The above listed web sites are afflicted by some of the same cracklib merits and flaws and their feedback too is heavily influenced by their dictionaries. Some of them perform well with dictionary included words, some other value the string length more and some other more reward the presence of a combination of lowercase and uppercase characters, digits and symbols. No tool will provide the definitive answer to weak passwords, but their use, perhaps combined, certainly helps to discard really trivial and potentially unsafe passwords.


Conclusions

I introduced cracklib a library useful to test password strength an discard weak ones that could present a security treat to users, or servers. The article paragraphs discussed the installation procedure and provided some usage examples of program cracklib-check. Some useful links to alternative on-line free tools and resources were provided in the final part of this paper. In conclusion I recommend to install and routinely use cracklib in order to improve the security of both home or business systems.


For any feedback, questions, errors and such, please e-mail me at studiosg [at] giustetti [dot] net


External links





Languages: English - Italiano