Pasword quality pluggable interface project review
Russ Allbery
rra at stanford.edu
Mon Aug 30 15:41:55 EDT 2010
Nicolas Williams <Nicolas.Williams at oracle.com> writes:
> - quality check requires more inputs:
> - the KDB entry, specifically, so the password quality module can
> check the user's password history
I wouldn't externalize this into a module, personally, due to the
instability in the KDB structures.
> (and maybe other things, such as user's languages, so that
> dictionary checks can be done for all the languages the user speaks)
That would be a very bad idea for a password quality check. To prevent a
password guessing attack, the language of the user is irrelevant. You
care about the language of the attacker, or rather, what dictionaries the
attacker has. Therefore, the only safe assumption is to assume that the
attacker will check all languages, and you should do the same thing.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev
mailing list