cracklib2 - a pro-active password library

cracklib2 is a library containing a C function which may be used in a passwd like program. The idea is simple: try to prevent users from choosing passwords that could be guessed by crack by filtering them out, at source. cracklib2 is not a replacement passwd program. cracklib2 is a library.

cracklib2 is an offshoot of version 5 of the crack software and contains a considerable number of ideas nicked from the new software.

cracklib2's home page provides some links on security publications and access to source code written by the author of cracklib2. While there is a README there is not much documentation available on cracklib2. Hopefully this page that I generated for the Debian/GNU Linux distribution will improve this situation.

Index

  1. Why cracklib2?
  2. Who is responsible for all of this?
  3. How to use cracklib2 with Debian
  4. Debian cracklib2 package overview.
  5. Debian cracklib-runtime utilities. (only available if cracklib-runtime package installed)
  6. Debian changelog.
  7. Upstream changelog.
  8. Copyright file.

Why cracklib2?

One of the most common security weaknesses in computer systems is the use of easily guessed passwords. cracklib2 tries to prevent the selection of weak passwords by checking potential passwords against dictionaries of commonly used or easily guessed words.

Who is responsible for all of this?

Alec Muffett <alecm@crypticide.com> is the author of cracklib2. Jean Pierre LeJacq <jplejacq@quoininc.com> initially produced this Debian package, Martin Pitt <mpitt@debian.org> is its current maintainer.

How to use cracklib2 with Debian

Ideally, the password quality check should be done when an user sets his/her password. The PAM (Pluggable Authentication Modules) architecture makes it easy to integrate arbitrary checks (like cracklib2) into programs like passwd and ssh.

To use cracklib2 in Debian, install the package libpam_cracklib and append the following two lines to /etc/pam.d/passwd:

    password required       pam_cracklib.so retry=3 minlen=6 difok=3
    @include other

From now on, cracklib2 checks the password quality whenever a password is changed with passwd and rejects bad ones.

Debian cracklib2 package overview.

The source package is cracklib2 which generates the following binary packages:

cracklib2
Shared library and this documentation.
cracklib2-dev
Header files, static libraries, and symbolic links developers using cracklib2 will need. This package also provides an example program that shows the usage of cracklib2 in own applications.
cracklib-runtime
Run-time support programs which use the shared library in cracklib2 including programs to build the password dictionary databases used by the functions in the shared library.

This package does not include dictionaries since there are already lots of them in Debian (wenglish, wngerman, etc.).

Original Copyright © 1998, 1999 Jean Pierre LeJacq
Currently maintained by Martin Pitt
Distributed under the GNU GENERAL PUBLIC LICENSE.
last-modified: Thu, 21 Oct 2003