ACCEPT_PW(S) UNIX System V ACCEPT_PW(S)
Name
acceptable_password - determine if password is cryptic
Syntax
#include <sys/types.h>
#include <sys/security.h>
#include <sys/audit.h>
#include <prot.h>
int acceptable_password (word, stream)
char *word;
FILE *stream;
Description
This routine determines if the given password is reasonable,
i.e., that it is very hard to deduce from a number of
heuristic means. The cleartext (plaintext) password is
passed as the first argument and the file pointer of the
stream to report failure reasons is the second argument. If
this checking is to be silent, the second argument should be
the NULL file pointer.
When acceptable_password returns a 1, the password provided
meets all the tests below. When it returns a 0, the
password failed to meet at least one of the tests.
The selectivity criteria for the password include but may
not be limited to the following four tests:
Palindrome This test passes if the word is not a
palindrome. (A palindrome is spelled the
same backwards as forwards.) Examples of
palindromes that fail on this test are: mom,
dad, noon, redivider, radar. Palindromes do
not make good passwords because they reduce
an n character password to n/2 + 1
characters. A penetrator knowing that
palindromes were legal could use heuristics
that could deduce the password much more
quickly than if they were excluded.
Login Name This test passes if the password is not a
login name for the system. The many insecure
systems allow passwords to be the login name
itself. This is a fact known by many
penetrators. All login names are excluded
because a user that is the owner of several
pseudo-user accounts may elect to use the
login name of one account as the password for
all his accounts.
Group Name Similar to the login name issue, this test
passes if the password is not a group name.
English word This test passes if the spell(C) determines
that this is not an English word. A
penetrator then could not search the on-line
dictionary to find the password. The spell
program also has some built-in rules that go
beyond the actual on-line dictionary in
determining what is a proper word, and this
routine takes advantage of that.
Notes
This routine only works as advertised when
set_auth_parameters is called as the first item in main().
Files
/etc/passwd
/etc/group
/usr/lib/spell/*
See Also
spell(C), getpwent(S), getgrent(S)
Value Added
acceptable_password is an extension of AT&T System V
provided by the Santa Cruz Operation.
(printed 6/20/89)