cracklib dicts size (and fedora password policy)

Daniel P. Berrange berrange at redhat.com
Fri Sep 6 13:25:45 UTC 2013 

On Fri, Sep 06, 2013 at 03:08:54PM +0200, Tomas Mraz wrote:
> On Fri, 2013-09-06 at 09:04 -0400, Matthew Miller wrote: 
> > The cracklib dicts in Fedora is 8.3M. (I'm sure some of this is my fault, as
> > I've added to it over the years.) The cracklib pam module supports a
> > compressed dictionary, but apparently it has a serious performance impact
> > (https://bugzilla.redhat.com/show_bug.cgi?id=1004896).
> > 
> > Meanwhile, in many systems today, local passwords are entirely unused.
> > Authentication is done via keys or by kerberos.
> > 
> > At the same time, we have an increased need for smaller systems. That 8MB
> > starts to be a meaningful fraction of a container or an ultra-small cloud
> > image.
> > 
> > I do recognize the value of protecting against dictionary-based attacks when
> > passwords are used. Maybe we could have a policy which requires _longer_
> > passwords but uses a much smaller dictionary?
> 
> The other option would be to fix the gzip support in cracklib to cache
> the unpacked data somehow. However that would require to keep the
> unpacked dictionary in RAM when cracklib is loaded, which is suboptimal
> as well. Or we could make the cracklib-dicts optional somehow so it is
> possible to install an ultra small cloud image without the dictionary at
> all - I expect ultra small cloud image not needing password quality
> checking at all.

As an unscientific test, I looked at how long it takes to decompress
the file pw_dict.pwd file with gzip

 # gzip  -c -9 /usr/share/cracklib/pw_dict.pwd > pw_dict.pwd.gz
 # echo 2 > /proc/sys/vm/drop_caches
 # time gunzip -c pw_dict.pwd.gz > pw_dict.pwd
 real	0m0.112s
 user	0m0.104s
 sys	0m0.007s

IOW, AFAICT, decompression time of pw_dict.pwd should not even be
noticable, unless it is decompressing it multiple times during a
single password change operation ? Even then it would have to be
decompressing it at least 10 times to become really noticable.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the security mailing list