Pasword quality pluggable interface project review

Russ Allbery rra at
Mon Aug 30 15:41:55 EDT 2010

Nicolas Williams <Nicolas.Williams at> writes:

>  - quality check requires more inputs:

>     - the KDB entry, specifically, so the password quality module can
>       check the user's password history

I wouldn't externalize this into a module, personally, due to the
instability in the KDB structures.

>     (and maybe other things, such as user's languages, so that
>     dictionary checks can be done for all the languages the user speaks)

That would be a very bad idea for a password quality check.  To prevent a
password guessing attack, the language of the user is irrelevant.  You
care about the language of the attacker, or rather, what dictionaries the
attacker has.  Therefore, the only safe assumption is to assume that the
attacker will check all languages, and you should do the same thing.

Russ Allbery (rra at             <>

More information about the krbdev mailing list