accept_pw(S) 6 January 1993 accept_pw(S) Name acceptable_password - determine if password is cryptic Syntax cc . . . -lprot #include <sys/types.h> #include <sys/security.h> #include <sys/audit.h> #include <prot.h> int acceptable_password (word, stream) char *word; FILE *stream; Description This routine determines if the given password is reasonable; that is, it is very hard to deduce from a number of heuristic means. The cleartext (plaintext) password is passed in as the argument word and the second argument, stream, is a file pointer to report failure-reason messages. If this checking is to be silent, the second argument should be a NULL file pointer so that no messages will be output to the stream. When acceptablepassword returns a 1, the password provided meets all the tests described below. When it returns a 0, the password failed to meet at least one of the tests or an internal error occurred. The selectivity criteria for the password include but may not be limited to the following four tests: palindrome This test is passed if the word is not a palindrome. (A palindrome is a word that is spelled the same backwards as forwards.) Examples of palindromes that fail on this test are: mom, dad, noon, redivider, radar. Palindromes do not make good passwords because they reduce an n character password to n/2 + 1 characters. A penetrator knowing that palindromes were legal could use heuristics that could deduce the password much more quickly than if they were excluded. login name This test is passed if the password is not a system login name or a closely related string. Unsecure systems allow passwords to be the login name itself. This is a fact known by many penetrators. All login names are excluded because a user that is the owner of several pseudo-user accounts may elect to use the login name of one account as the password for all his accounts. group name Similar to the login name issue, this test is passed if the password is not a group name or a closely related string. English word This test is passed if the spell(C) program determines that the supplied password is not an English word so that a penetrator cannot search the on-line dictionary to find the password. The spell program also has some built-in rules that go beyond the actual on-line dictionary in determining what is a proper word which this routine takes advantage of. Return value When a supplied password meets all of the criteria, the acceptablepassword returns a value of 1. If the supplied password fails one of the tests or if an internal error occurs, a value of 0 is returned by the routine. Note This routine works correctly only if setauthparameters is called as the first item in main(). Files /etc/passwd /etc/group /usr/lib/spell/* See also spell(C), getpwent(S), getgrent(S) Standards conformance acceptablepassword is not part of any currently supported standard; it is an extension of AT&T System V provided by the Santa Cruz Operation.