1,415
edits
Changes
From Studiosg
Jump to navigationJump to searchAdded Cracklib article
{{header_en|title=Get Stronger Passwords Using Cracklib| keyword={{Template:keyword_en_linux}}| description=A brief guide introducing cracklib an useful tool to increase password strength in Slackware Linux | link_page=usare_cracklib}}
== Introduction ==
Credentials are the more widespread authentication system in the IT field nowadays. They consist of a pairing of a user name (login) and a secret password. Newer technologies promise to perform better identity checks for individuals and their privileges, but the login / password pair is still an easy and cheap solution to perform those checks. In view of the poor performances provided by the competition and of the resulting scarce adoption of alternative solutions, no change of scenario seem feasible in the foreseeable future. Credentials Achilles heel resides in '''weak passwords, easy to guess and consequently unsafe'''. The '''cracklib''' library is a tool meant to check password strength against a family of attacks known as "dictionary attacks" and to increase the security level of a Linux / UNIX system.
A strong password is fundamental for the security of your host, network and all of the connected devices. Ideally a password should be '''known only to the user''', '''verifiable by a system''' when connecting and finally '''impossible to guess for any user other than the owner'''. In real life it is very difficult to achieve all of the listed features. Users are required to remember and manage many passwords daily and as a consequence '''they tend to choose weak ones''' making life a lot easier for attackers trying to access a system or a resource they are not allowed to. '''Weak passwords pose today the main security treat to computers, cell phones, networks, tables and so on'''.
In this paper I'll introduce the cracklib library and describe its use and the tools it makes available to system administrators to discard a priori passwords that are too weak and a treat for both users and services.
=== Dictionary Attacks ===
Statistics tell us that most passwords consist of two parts '''a root''', usually a real word taken from a dictionary, and an appendix: '''a prefix''' or more often '''a suffix'''. From the point of view of an attacker that is a considerable advantage because it allows to search for a password using words taken from a dictionary. An attack recurring to a dictionary as a source of information works efficiently because instead of trying all the potential combinations of characters, as is the case in a "brute force" attack, the search is limited to the most likely combinations. Consider 8 characters long passwords, for example, many of the potential combinations existing between "aaaaaaaa" and "zzzzzzzz" have no real meaning and are therefore unlikely. An attack based on a dictionary, namely on common words and their eventual mixing with numbers and symbols, allows to guess a password with but a fraction of attempts and time required to test all the theoretically possible strings.
=== Cracklib to Check Password Strength ===
Dictionary based attacks represent a huge risk for authentication systems used in local hosts, remote ones, network devices or Internet web pages. '''A check of the strength of a password before its use is a good security practice'''. It is not a foolproof solution preventing any intrusion, but it represents a powerful tool against attackers. A check against a password dictionary can be performed quickly and easily using both local tools or resources available via Internet and prevents the use of predictable passwords.
A lot of tools are freely available and ready to test password strength. Some of them can be accessed trough a computer network while other require local installing to work. A tool developed to test passwords on a local Linux / UNIX system is '''cracklib''': a small library of functions that comes with '''its own multi-language dictionary and test program''', that is able to quickly perform a check for password eligibility and filter guessable and potentially harmful ones out, at source. Cracklib performs 3 kind of checks for a tentative password:
* It tries to generate passwords containing the user name and related personal data available on the computer.
* Given a word it checks for its presence in the dictionary.
* Given a word it performs some simple substitutions and transformations.
At the end of the analysis it provides a positive response or a justification that the password should be discarded.
==== Installing Cracklib ====
Slackware Linux does not officially include a '''cracklib''' package and the library must be compiled and installed from its source code. The [http://www.slackbuilds.org/ SlackBuilds.org] project provides working build scripts, which can be downloaded form the following [http://slackbuilds.org/result/?search=cracklib&sv= URL]. Below you'll find the steps required to '''install cracklib from source''':
* Select a recent version of the library compatible with Slackware Linux. Usually the latest released version.
* Download the archive file '''cracklib.tar.gz''' into a local directory such as ''/tmp'' or ''/usr/src/cracklib''.
* Decompress the archive file using the '''tar''' command then move to the newly created directory:
user@system:/tmp# '''tar''' ''-zxf'' cracklib.tar.gz
user@system:/tmp# '''cd''' cracklib
user@system:/tmp/cracklib# '''ls''' ''-la''
total 24
drwxr-xr-x 2 1016 users 4096 Jan 9 2017 .
drwxr-xr-x 3 root root 4096 Aug 1 15:00 ..
-rw-r--r-- 1 1016 users 520 Nov 26 2013 README
-rwxr-xr-x 1 1016 users 3576 Jan 9 2017 cracklib.SlackBuild
-rw-r--r-- 1 1016 users 485 Jul 2 2016 cracklib.info
-rw-r--r-- 1 1016 users 928 Nov 26 2013 slack-desc
* Download the archive file containing the source code and a second one for the password database into the directory where the build script '''cracklib.SlackBuild''' is located. The source URLs are available in the cracklib page of the www.slackbuilds.org web site. The command sequence for '''Slackware 14.2''' is:
user@system:/tmp/cracklib# '''wget''' https://github.com/cracklib/cracklib/releases/download/cracklib-2.9.6/cracklib-2.9.6.tar.gz
--2018-08-01 15:04:37-- https://github.com/cracklib/cracklib/releases/download/cracklib-2.9.6/cracklib-2.9.6.tar.gz
Resolving github.com... 192.30.253.112, 192.30.253.113
Connecting to github.com|192.30.253.112|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/40944821/f44b9bfc-45af- ... -stream [following]
--2018-08-01 15:04:38-- https://github-production-release-asset-2e65be.s3.amazonaws.com/40944821/f44b9bfc-45af- ... octet-stream
Resolving github-production-release-asset-2e65be.s3.amazonaws.com... 52.216.226.168
Connecting to github-production-release-asset-2e65be.s3.amazonaws.com|52.216.226.168|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 642402 (627K) [application/octet-stream]
Saving to: 'cracklib-2.9.6.tar.gz'
cracklib-2.9.6.tar.gz 100%[=======================================================>] 627.35K 550KB/s in 1.1s
2018-08-01 15:04:39 (550 KB/s) - 'cracklib-2.9.6.tar.gz' saved [642402/642402]
user@system:/tmp/cracklib# '''wget''' https://github.com/cracklib/cracklib/releases/download/cracklib-2.9.6/cracklib-words-2.9.6.gz
--2018-08-01 15:05:06-- https://github.com/cracklib/cracklib/releases/download/cracklib-2.9.6/cracklib-words-2.9.6.gz
Resolving github.com... 192.30.253.113, 192.30.253.112
Connecting to github.com|192.30.253.113|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/40944821/281a79b8-45af- ... -stream [following]
--2018-08-01 15:05:06-- https://github-production-release-asset-2e65be.s3.amazonaws.com/40944821/281a79b8-45af- ... octet-stream
Resolving github-production-release-asset-2e65be.s3.amazonaws.com... 54.231.82.18
Connecting to github-production-release-asset-2e65be.s3.amazonaws.com|54.231.82.18|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5536645 (5.3M) [application/octet-stream]
Saving to: 'cracklib-words-2.9.6.gz'
cracklib-words-2.9.6.gz 100%[=======================================================>] 5.28M 824KB/s in 6.9s
2018-08-01 15:05:14 (785 KB/s) - 'cracklib-words-2.9.6.gz' saved [5536645/5536645]
Release numbers could change for different versions of Slackware Linux.
* Switch to the '''root''' account using the '''su''' ''-'' command and providing the administrator password.
* Run the build script:
root@system:~# '''cd''' /tmp/cracklib
root@system:/tmp/cracklib# '''sh''' ./cracklib.SlackBuild
...
Slackware package /tmp/cracklib-2.9.6-x86_64-2_SBo.tgz created.
* Once the build script exits successfully install the resulting package with command '''installpkg'''. Newly created packages are usually saved into the '''/tmp''' directory:
root@system:/tmp/cracklib# '''installpkg''' /tmp/cracklib-2.9.6-x86_64-2_SBo.tgz
Verifying package cracklib-2.9.6-x86_64-2_SBo.tgz.
Installing package cracklib-2.9.6-x86_64-2_SBo.tgz:
PACKAGE DESCRIPTION:
# cracklib (password crack library)
#
# CrackLib is a library containing a C function (well, lots of functions
# really, but you only need to use one of them) which may be used in a
# "passwd"-like program.
#
# The idea is simple: try to prevent users from choosing passwords that
# could be guessed by "Crack" by filtering them out, at source.
#
Executing install script for cracklib-2.9.6-x86_64-2_SBo.tgz.
Package cracklib-2.9.6-x86_64-2_SBo.tgz installed.
When the package is successfully installed the strength of any password can be immediately tested using command '''cracklib-check''' which, when run with no option, works in interactive way:
root@system:/tmp/cracklib# '''cracklib-check'''
ddd
ddd: <font color="red">it is WAY too short</font>
devil
devil: <font color="red">it is too short</font>
devil123
devil123: <font color="red">it is based on a dictionary word</font>
Press the '''CTRL + C''' keys combo on the keyboard to close a running session.
==== Cracklib - Examples of Use ====
'''Cracklib''' can work in both '''interactive mode''', as in the example above, and '''non interactive mode''' when combined with other Linux / UNIX commands. In '''non interactive mode''' cracklib can perform checks on many passwords in a single run. Below you'll find an example combining the '''cracklib-check''' and '''echo''' commands:
user@system:~# '''echo''' 'password' | '''/usr/sbin/cracklib-check'''
password: <font color="red">it is based on a dictionary word</font>
user@system:~# '''echo''' 'password1' | '''/usr/sbin/cracklib-check'''
password1: <font color="red">it is based on a dictionary word</font>
user@system:~# '''echo''' 'pass' | '''/usr/sbin/cracklib-check'''
pass: <font color="red">it is too short</font>
user@system:~# '''echo''' 'password1!' | '''/usr/sbin/cracklib-check'''
password1!: <font color="red">it is based on a dictionary word</font>
Standard users should use the full path to the command because it is located into the ''/usr/sbin'' system directory. It is after all an administration tool designed for root users.
Likewise the contents of a file can be supplied to the control program and it will verify the strength of each password in it:
root@system:~# '''cat''' pwd.txt | '''cracklib-check'''
asdrty: OK
avoneg: <font color="red">it is based on a dictionary word</font>
drowssap1: <font color="red">it is based on a (reversed) dictionary word</font>
drowssap1!: <font color="red">it is based on a (reversed) dictionary word</font>
drowssap12?: <font color="red">it is based on a (reversed) dictionary word</font>
genova: <font color="red">it is based on a dictionary word</font>
italia: <font color="red">it does not contain enough DIFFERENT characters</font>
italia123: OK
marco: <font color="red">it is too short</font>
password: <font color="red">it is based on a dictionary word</font>
password2?: <font color="red">it is based on a dictionary word</font>
pwd12345: <font color="red">it is too simplistic/systematic</font>
qazwsxedc: <font color="red">it is based on a dictionary word</font>
qweasd: <font color="red">it is based on a dictionary word</font>
qweasdzxc: <font color="red">it is based on a dictionary word</font>
qwerty: <font color="red">it is based on a dictionary word</font>
qwerty1: <font color="red">it is based on a dictionary word</font>
qwerty123: <font color="red">it is based on a dictionary word</font>
qwerty123!: <font color="red">it is based on a dictionary word</font>
root: <font color="red">it is too short</font>
simone: <font color="red">it is based on a dictionary word</font>
The previous example used a '''pwd.txt''' text file containing a single password per row. The file was read with the '''cat''' command and the output redirected to the '''cracklib-check''' command trough a "|" (Pipe). Every password was checked and the outcome printed to screen after the very same password.
==== Shortcomings of the Cracklib Library ====
The last example of the previous paragraph provides enough material to draw some conclusions about '''cracklib''' and its standard dictionary, the one provided with the library. Passwords shorter than 8 characters, passwords found in the dictionary and their simple transformations such as inverting characters, concatenating digits or symbols were all accurately spotted and classified as insecure. Key sequences and their combinations were accurately identified and reported. The only "problematic" strings are "asdrty" and "italia123" which, in spite of being a very short and only apparently random key sequence and a trivially transformed dictionary word, were classified "strong" by the tool.
The control performed by '''cracklib''' is '''useful, but far from perfect'''. The tool effectiveness could be improved by configuring a different dictionary, but this raises a new problem: where to find a dictionary source. Ultimately it is advisable to use cracklib to perform password strength checks, but do not consider it infallible and always let common sense prevail.
==== Cracklib and Customized Dictionaries ====
The outcome of '''cracklib-check''' executed checks is highly influenced by the quality of the installed dictionary and the total count of included words. The standard dictionary shipped with the library includes more or less 60.000 English words. Not enough for people or organizations speaking a different language or multinationals. Cracklib developers provide a second extended dictionary that can be downloaded from the project web site repository. The extended dictionary includes more than 2.000.000 common words from many languages. It is a really good improvement and you are highly encouraged to '''always install the extended dictionary'''. Another additional improvement consist of the configuration of '''custom dictionaries''' including terms specific to the organization and its field of operation. For a law firm, for example, it makes a lot of sense to include words and terms taken from legal literature and missing from a standard dictionary. The same rule applies to brokers, traders, a medical devices factory, a financial company and so on. Users will stick to familiar terms when choosing a password.
The cracklib library provides a tool to create custom dictionaries: the '''create-cracklib-dict''' utility. The tool reads files containing words and outputs a dictionary compressed and formatted accordingly to library standards. A copy of every new dictionary is saved in a predefined directory: ''/usr/share/cracklib/''. Files read by '''create-cracklib-dict''' should include a single word in every line. You can copy an existing dictionary and customize it adding words. Another way to create a word list consist of searching the Internet for pages like: https://en.oxforddictionaries.com/explore/word-lists. When source files are ready place them all in a directory, usually ''/usr/share/dict'', for ease of use then run command:
root@system # '''create-cracklib-dict''' /usr/share/dict/*
The command requires root privileges to run and access to some system directories and produce the following list of files:
/usr/share/cracklib/pw_dict.hwm
/usr/share/cracklib/pw_dict.pwd
/usr/share/cracklib/pw_dict.pwi
Saving files in a directory other than the default one requires using explicitly commands '''cracklib-format''' and '''cracklib-packer''' that are usually called by '''create-cracklib-dict'''.
For more information about cracklib, its use and internals please refer to the documentation of the library and of the installed distribution, which often provides custom configuration tools and scripts.
=== Cracklib Alternatives Freely Available on the Internet ===
Cracklib is developed to run locally on a machine. Searching the Internet you'll find web sites providing the same functionality. Web sites like:
* [https://howsecureismypassword.net/ How Secure Is My Password].
* [https://www.avxperten.dk/password-checker/ Password Checker].
* [http://www.passwordmeter.com/ Password Meter].
* [https://password.kaspersky.com/it/ Kaspersky Secure Password check].
And many more will pop up when using a search engine. All of the listed pages share a common interface: a textbox where to insert the password, an option to hide or show the inserted password, some graphic widget providing a quick feedback for the password string and a list of hints to increase password strength.
'''The above listed web sites are afflicted by some of the same cracklib merits and flaws''' and their feedback too is heavily influenced by their dictionaries. Some of them perform well with dictionary included words, some other value the string length more and some other more reward the presence of a combination of lowercase and uppercase characters, digits and symbols. No tool will provide the definitive answer to weak passwords, but their use, perhaps combined, certainly helps to discard really trivial and potentially unsafe passwords.
== Conclusions ==
I introduced '''cracklib''' a library useful to test password strength an discard weak ones that could present a security treat to users, or servers. The article paragraphs discussed the installation procedure and provided some usage examples of program '''cracklib-check'''. Some useful links to alternative on-line free tools and resources were provided in the final part of this paper. '''In conclusion I recommend to install and routinely use cracklib in order to improve the security of both home or business systems'''.
For any feedback, questions, errors and such, please e-mail me at ''studiosg [at] giustetti [dot] net''
External links
----
* [https://github.com/cracklib/cracklib GitHub Cracklib Page]
* [http://slackbuilds.org/result/?search=cracklib&sv= SlackBuilds.org Cracklib Page]
* [http://www.linux.com Linux.com home page]
* [http://www.linux.org Linux.org home page]
* [http://www.linuxfoundation.org Linux Foundation home page]
----
{{footer_en | link_page=usare_cracklib}}
== Introduction ==
Credentials are the more widespread authentication system in the IT field nowadays. They consist of a pairing of a user name (login) and a secret password. Newer technologies promise to perform better identity checks for individuals and their privileges, but the login / password pair is still an easy and cheap solution to perform those checks. In view of the poor performances provided by the competition and of the resulting scarce adoption of alternative solutions, no change of scenario seem feasible in the foreseeable future. Credentials Achilles heel resides in '''weak passwords, easy to guess and consequently unsafe'''. The '''cracklib''' library is a tool meant to check password strength against a family of attacks known as "dictionary attacks" and to increase the security level of a Linux / UNIX system.
A strong password is fundamental for the security of your host, network and all of the connected devices. Ideally a password should be '''known only to the user''', '''verifiable by a system''' when connecting and finally '''impossible to guess for any user other than the owner'''. In real life it is very difficult to achieve all of the listed features. Users are required to remember and manage many passwords daily and as a consequence '''they tend to choose weak ones''' making life a lot easier for attackers trying to access a system or a resource they are not allowed to. '''Weak passwords pose today the main security treat to computers, cell phones, networks, tables and so on'''.
In this paper I'll introduce the cracklib library and describe its use and the tools it makes available to system administrators to discard a priori passwords that are too weak and a treat for both users and services.
=== Dictionary Attacks ===
Statistics tell us that most passwords consist of two parts '''a root''', usually a real word taken from a dictionary, and an appendix: '''a prefix''' or more often '''a suffix'''. From the point of view of an attacker that is a considerable advantage because it allows to search for a password using words taken from a dictionary. An attack recurring to a dictionary as a source of information works efficiently because instead of trying all the potential combinations of characters, as is the case in a "brute force" attack, the search is limited to the most likely combinations. Consider 8 characters long passwords, for example, many of the potential combinations existing between "aaaaaaaa" and "zzzzzzzz" have no real meaning and are therefore unlikely. An attack based on a dictionary, namely on common words and their eventual mixing with numbers and symbols, allows to guess a password with but a fraction of attempts and time required to test all the theoretically possible strings.
=== Cracklib to Check Password Strength ===
Dictionary based attacks represent a huge risk for authentication systems used in local hosts, remote ones, network devices or Internet web pages. '''A check of the strength of a password before its use is a good security practice'''. It is not a foolproof solution preventing any intrusion, but it represents a powerful tool against attackers. A check against a password dictionary can be performed quickly and easily using both local tools or resources available via Internet and prevents the use of predictable passwords.
A lot of tools are freely available and ready to test password strength. Some of them can be accessed trough a computer network while other require local installing to work. A tool developed to test passwords on a local Linux / UNIX system is '''cracklib''': a small library of functions that comes with '''its own multi-language dictionary and test program''', that is able to quickly perform a check for password eligibility and filter guessable and potentially harmful ones out, at source. Cracklib performs 3 kind of checks for a tentative password:
* It tries to generate passwords containing the user name and related personal data available on the computer.
* Given a word it checks for its presence in the dictionary.
* Given a word it performs some simple substitutions and transformations.
At the end of the analysis it provides a positive response or a justification that the password should be discarded.
==== Installing Cracklib ====
Slackware Linux does not officially include a '''cracklib''' package and the library must be compiled and installed from its source code. The [http://www.slackbuilds.org/ SlackBuilds.org] project provides working build scripts, which can be downloaded form the following [http://slackbuilds.org/result/?search=cracklib&sv= URL]. Below you'll find the steps required to '''install cracklib from source''':
* Select a recent version of the library compatible with Slackware Linux. Usually the latest released version.
* Download the archive file '''cracklib.tar.gz''' into a local directory such as ''/tmp'' or ''/usr/src/cracklib''.
* Decompress the archive file using the '''tar''' command then move to the newly created directory:
user@system:/tmp# '''tar''' ''-zxf'' cracklib.tar.gz
user@system:/tmp# '''cd''' cracklib
user@system:/tmp/cracklib# '''ls''' ''-la''
total 24
drwxr-xr-x 2 1016 users 4096 Jan 9 2017 .
drwxr-xr-x 3 root root 4096 Aug 1 15:00 ..
-rw-r--r-- 1 1016 users 520 Nov 26 2013 README
-rwxr-xr-x 1 1016 users 3576 Jan 9 2017 cracklib.SlackBuild
-rw-r--r-- 1 1016 users 485 Jul 2 2016 cracklib.info
-rw-r--r-- 1 1016 users 928 Nov 26 2013 slack-desc
* Download the archive file containing the source code and a second one for the password database into the directory where the build script '''cracklib.SlackBuild''' is located. The source URLs are available in the cracklib page of the www.slackbuilds.org web site. The command sequence for '''Slackware 14.2''' is:
user@system:/tmp/cracklib# '''wget''' https://github.com/cracklib/cracklib/releases/download/cracklib-2.9.6/cracklib-2.9.6.tar.gz
--2018-08-01 15:04:37-- https://github.com/cracklib/cracklib/releases/download/cracklib-2.9.6/cracklib-2.9.6.tar.gz
Resolving github.com... 192.30.253.112, 192.30.253.113
Connecting to github.com|192.30.253.112|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/40944821/f44b9bfc-45af- ... -stream [following]
--2018-08-01 15:04:38-- https://github-production-release-asset-2e65be.s3.amazonaws.com/40944821/f44b9bfc-45af- ... octet-stream
Resolving github-production-release-asset-2e65be.s3.amazonaws.com... 52.216.226.168
Connecting to github-production-release-asset-2e65be.s3.amazonaws.com|52.216.226.168|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 642402 (627K) [application/octet-stream]
Saving to: 'cracklib-2.9.6.tar.gz'
cracklib-2.9.6.tar.gz 100%[=======================================================>] 627.35K 550KB/s in 1.1s
2018-08-01 15:04:39 (550 KB/s) - 'cracklib-2.9.6.tar.gz' saved [642402/642402]
user@system:/tmp/cracklib# '''wget''' https://github.com/cracklib/cracklib/releases/download/cracklib-2.9.6/cracklib-words-2.9.6.gz
--2018-08-01 15:05:06-- https://github.com/cracklib/cracklib/releases/download/cracklib-2.9.6/cracklib-words-2.9.6.gz
Resolving github.com... 192.30.253.113, 192.30.253.112
Connecting to github.com|192.30.253.113|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/40944821/281a79b8-45af- ... -stream [following]
--2018-08-01 15:05:06-- https://github-production-release-asset-2e65be.s3.amazonaws.com/40944821/281a79b8-45af- ... octet-stream
Resolving github-production-release-asset-2e65be.s3.amazonaws.com... 54.231.82.18
Connecting to github-production-release-asset-2e65be.s3.amazonaws.com|54.231.82.18|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5536645 (5.3M) [application/octet-stream]
Saving to: 'cracklib-words-2.9.6.gz'
cracklib-words-2.9.6.gz 100%[=======================================================>] 5.28M 824KB/s in 6.9s
2018-08-01 15:05:14 (785 KB/s) - 'cracklib-words-2.9.6.gz' saved [5536645/5536645]
Release numbers could change for different versions of Slackware Linux.
* Switch to the '''root''' account using the '''su''' ''-'' command and providing the administrator password.
* Run the build script:
root@system:~# '''cd''' /tmp/cracklib
root@system:/tmp/cracklib# '''sh''' ./cracklib.SlackBuild
...
Slackware package /tmp/cracklib-2.9.6-x86_64-2_SBo.tgz created.
* Once the build script exits successfully install the resulting package with command '''installpkg'''. Newly created packages are usually saved into the '''/tmp''' directory:
root@system:/tmp/cracklib# '''installpkg''' /tmp/cracklib-2.9.6-x86_64-2_SBo.tgz
Verifying package cracklib-2.9.6-x86_64-2_SBo.tgz.
Installing package cracklib-2.9.6-x86_64-2_SBo.tgz:
PACKAGE DESCRIPTION:
# cracklib (password crack library)
#
# CrackLib is a library containing a C function (well, lots of functions
# really, but you only need to use one of them) which may be used in a
# "passwd"-like program.
#
# The idea is simple: try to prevent users from choosing passwords that
# could be guessed by "Crack" by filtering them out, at source.
#
Executing install script for cracklib-2.9.6-x86_64-2_SBo.tgz.
Package cracklib-2.9.6-x86_64-2_SBo.tgz installed.
When the package is successfully installed the strength of any password can be immediately tested using command '''cracklib-check''' which, when run with no option, works in interactive way:
root@system:/tmp/cracklib# '''cracklib-check'''
ddd
ddd: <font color="red">it is WAY too short</font>
devil
devil: <font color="red">it is too short</font>
devil123
devil123: <font color="red">it is based on a dictionary word</font>
Press the '''CTRL + C''' keys combo on the keyboard to close a running session.
==== Cracklib - Examples of Use ====
'''Cracklib''' can work in both '''interactive mode''', as in the example above, and '''non interactive mode''' when combined with other Linux / UNIX commands. In '''non interactive mode''' cracklib can perform checks on many passwords in a single run. Below you'll find an example combining the '''cracklib-check''' and '''echo''' commands:
user@system:~# '''echo''' 'password' | '''/usr/sbin/cracklib-check'''
password: <font color="red">it is based on a dictionary word</font>
user@system:~# '''echo''' 'password1' | '''/usr/sbin/cracklib-check'''
password1: <font color="red">it is based on a dictionary word</font>
user@system:~# '''echo''' 'pass' | '''/usr/sbin/cracklib-check'''
pass: <font color="red">it is too short</font>
user@system:~# '''echo''' 'password1!' | '''/usr/sbin/cracklib-check'''
password1!: <font color="red">it is based on a dictionary word</font>
Standard users should use the full path to the command because it is located into the ''/usr/sbin'' system directory. It is after all an administration tool designed for root users.
Likewise the contents of a file can be supplied to the control program and it will verify the strength of each password in it:
root@system:~# '''cat''' pwd.txt | '''cracklib-check'''
asdrty: OK
avoneg: <font color="red">it is based on a dictionary word</font>
drowssap1: <font color="red">it is based on a (reversed) dictionary word</font>
drowssap1!: <font color="red">it is based on a (reversed) dictionary word</font>
drowssap12?: <font color="red">it is based on a (reversed) dictionary word</font>
genova: <font color="red">it is based on a dictionary word</font>
italia: <font color="red">it does not contain enough DIFFERENT characters</font>
italia123: OK
marco: <font color="red">it is too short</font>
password: <font color="red">it is based on a dictionary word</font>
password2?: <font color="red">it is based on a dictionary word</font>
pwd12345: <font color="red">it is too simplistic/systematic</font>
qazwsxedc: <font color="red">it is based on a dictionary word</font>
qweasd: <font color="red">it is based on a dictionary word</font>
qweasdzxc: <font color="red">it is based on a dictionary word</font>
qwerty: <font color="red">it is based on a dictionary word</font>
qwerty1: <font color="red">it is based on a dictionary word</font>
qwerty123: <font color="red">it is based on a dictionary word</font>
qwerty123!: <font color="red">it is based on a dictionary word</font>
root: <font color="red">it is too short</font>
simone: <font color="red">it is based on a dictionary word</font>
The previous example used a '''pwd.txt''' text file containing a single password per row. The file was read with the '''cat''' command and the output redirected to the '''cracklib-check''' command trough a "|" (Pipe). Every password was checked and the outcome printed to screen after the very same password.
==== Shortcomings of the Cracklib Library ====
The last example of the previous paragraph provides enough material to draw some conclusions about '''cracklib''' and its standard dictionary, the one provided with the library. Passwords shorter than 8 characters, passwords found in the dictionary and their simple transformations such as inverting characters, concatenating digits or symbols were all accurately spotted and classified as insecure. Key sequences and their combinations were accurately identified and reported. The only "problematic" strings are "asdrty" and "italia123" which, in spite of being a very short and only apparently random key sequence and a trivially transformed dictionary word, were classified "strong" by the tool.
The control performed by '''cracklib''' is '''useful, but far from perfect'''. The tool effectiveness could be improved by configuring a different dictionary, but this raises a new problem: where to find a dictionary source. Ultimately it is advisable to use cracklib to perform password strength checks, but do not consider it infallible and always let common sense prevail.
==== Cracklib and Customized Dictionaries ====
The outcome of '''cracklib-check''' executed checks is highly influenced by the quality of the installed dictionary and the total count of included words. The standard dictionary shipped with the library includes more or less 60.000 English words. Not enough for people or organizations speaking a different language or multinationals. Cracklib developers provide a second extended dictionary that can be downloaded from the project web site repository. The extended dictionary includes more than 2.000.000 common words from many languages. It is a really good improvement and you are highly encouraged to '''always install the extended dictionary'''. Another additional improvement consist of the configuration of '''custom dictionaries''' including terms specific to the organization and its field of operation. For a law firm, for example, it makes a lot of sense to include words and terms taken from legal literature and missing from a standard dictionary. The same rule applies to brokers, traders, a medical devices factory, a financial company and so on. Users will stick to familiar terms when choosing a password.
The cracklib library provides a tool to create custom dictionaries: the '''create-cracklib-dict''' utility. The tool reads files containing words and outputs a dictionary compressed and formatted accordingly to library standards. A copy of every new dictionary is saved in a predefined directory: ''/usr/share/cracklib/''. Files read by '''create-cracklib-dict''' should include a single word in every line. You can copy an existing dictionary and customize it adding words. Another way to create a word list consist of searching the Internet for pages like: https://en.oxforddictionaries.com/explore/word-lists. When source files are ready place them all in a directory, usually ''/usr/share/dict'', for ease of use then run command:
root@system # '''create-cracklib-dict''' /usr/share/dict/*
The command requires root privileges to run and access to some system directories and produce the following list of files:
/usr/share/cracklib/pw_dict.hwm
/usr/share/cracklib/pw_dict.pwd
/usr/share/cracklib/pw_dict.pwi
Saving files in a directory other than the default one requires using explicitly commands '''cracklib-format''' and '''cracklib-packer''' that are usually called by '''create-cracklib-dict'''.
For more information about cracklib, its use and internals please refer to the documentation of the library and of the installed distribution, which often provides custom configuration tools and scripts.
=== Cracklib Alternatives Freely Available on the Internet ===
Cracklib is developed to run locally on a machine. Searching the Internet you'll find web sites providing the same functionality. Web sites like:
* [https://howsecureismypassword.net/ How Secure Is My Password].
* [https://www.avxperten.dk/password-checker/ Password Checker].
* [http://www.passwordmeter.com/ Password Meter].
* [https://password.kaspersky.com/it/ Kaspersky Secure Password check].
And many more will pop up when using a search engine. All of the listed pages share a common interface: a textbox where to insert the password, an option to hide or show the inserted password, some graphic widget providing a quick feedback for the password string and a list of hints to increase password strength.
'''The above listed web sites are afflicted by some of the same cracklib merits and flaws''' and their feedback too is heavily influenced by their dictionaries. Some of them perform well with dictionary included words, some other value the string length more and some other more reward the presence of a combination of lowercase and uppercase characters, digits and symbols. No tool will provide the definitive answer to weak passwords, but their use, perhaps combined, certainly helps to discard really trivial and potentially unsafe passwords.
== Conclusions ==
I introduced '''cracklib''' a library useful to test password strength an discard weak ones that could present a security treat to users, or servers. The article paragraphs discussed the installation procedure and provided some usage examples of program '''cracklib-check'''. Some useful links to alternative on-line free tools and resources were provided in the final part of this paper. '''In conclusion I recommend to install and routinely use cracklib in order to improve the security of both home or business systems'''.
For any feedback, questions, errors and such, please e-mail me at ''studiosg [at] giustetti [dot] net''
External links
----
* [https://github.com/cracklib/cracklib GitHub Cracklib Page]
* [http://slackbuilds.org/result/?search=cracklib&sv= SlackBuilds.org Cracklib Page]
* [http://www.linux.com Linux.com home page]
* [http://www.linux.org Linux.org home page]
* [http://www.linuxfoundation.org Linux Foundation home page]
----
{{footer_en | link_page=usare_cracklib}}
