cracklib dicts size (and fedora password policy)

[Daniel P. Berrange]

On Fri, Sep 06, 2013 at 09:04:34AM -0400, Matthew Miller wrote:
> The cracklib dicts in Fedora is 8.3M. (I'm sure some of this is my fault, as
> I've added to it over the years.) The cracklib pam module supports a
> compressed dictionary, but apparently it has a serious performance impact
> (https://bugzilla.redhat.com/show_bug.cgi?id=1004896).

That's an odd bug report - decompressing a mere 8 MB file really shouldn't
have as high a penalty as the bug suggests. Sounds like perhaps there is
a perf problem in cracklib that could be usefully fixed here, rather than
just closing the bug saying compression is unusable. It might also be worth
trying lzop, which IIRC has much better decompression performance than gzip,
albeit with slightly worse size.

> Meanwhile, in many systems today, local passwords are entirely unused.
> Authentication is done via keys or by kerberos.
> 
> At the same time, we have an increased need for smaller systems. That 8MB
> starts to be a meaningful fraction of a container or an ultra-small cloud
> image.
> 
> I do recognize the value of protecting against dictionary-based attacks when
> passwords are used. Maybe we could have a policy which requires _longer_
> passwords but uses a much smaller dictionary?

Or by default require that every password have at least one non-alphanumeric
character in it, at which point it'll never match a regular dictionary
entry ?

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|