cracklib dicts size (and fedora password policy)
Matthew Miller
mattdm at fedoraproject.org
Fri Sep 6 13:20:01 UTC 2013
On Fri, Sep 06, 2013 at 03:08:54PM +0200, Tomas Mraz wrote:
> The other option would be to fix the gzip support in cracklib to cache
> the unpacked data somehow. However that would require to keep the
> unpacked dictionary in RAM when cracklib is loaded, which is suboptimal
> as well. Or we could make the cracklib-dicts optional somehow so it is
> possible to install an ultra small cloud image without the dictionary at
> all - I expect ultra small cloud image not needing password quality
> checking at all.
Yes, that's https://bugzilla.redhat.com/show_bug.cgi?id=865521 :)
"Optional somehow" is easy -- make "cracklib-dicts-full" and
"cracklib-dicts-small" and make them both provide "cracklib-dicts".
(The small could consist of some list of N most common passwords, plus
N most common words in N languages, where all of the Ns are chosen to keep
the filesize to 100k or so.)
Somewhat ironically, I bet we could compress that 100k without much of a
performance hit, too. :)
--
Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ <mattdm at fedoraproject.org>
More information about the security
mailing list