 |
Index for
Section 3 |
|
 |
Alphabetical
listing for A |
|
 |
Bottom of
page |
|
acceptable_password(3)
NAME
acceptable_password - Determines if a password meets deduction requirements
(Enhanced Security)
LIBRARY
Security Library - libsecurity.so
SYNOPSIS
int acceptable_password(
char *word,
FILE *stream);
PARAMETERS
word Points to the suggested password.
stream Points to the stream to write diagnostics into.
DESCRIPTION
The acceptable_password() function determines if the given password is
difficult to deduce from well known, password-guessing heuristics. The
cleartext (plaintext) password is passed as the first argument, and the
file pointer of the stream that is used to report failure reasons is the
second argument. If this checking is to be silent, the second argument
should be a null file pointer.
When the acceptable_password() function returns a value of 1, the password
provided meets all the tests listed in the following text. When it returns
a value of 0 (zero), the password failed to meet at least one of the tests.
The selectivity criteria for the password include but cannot be limited to
the following four tests:
Palindrome This test passes if the word is not a palindrome. (A
palindrome is a word that is spelled the same backwards as
it is forwards.) Examples of palindromes that fail this test
are mom, dad, noon, redivider, radar. Palindromes do not
make good passwords because they reduce an n character
password to n/2 + 1 characters. A penetrator knowing that
palindromes were legal could use heuristics that could
deduce the password much more quickly than if they were
excluded.
Login Name This test passes if the password is not a derivative of a
login name for the system. Many insecure systems allow
passwords to be the login name itself. This is a fact known
by many penetrators. All login names are excluded because a
user that is the owner of several pseudouser accounts can
elect to use the login name of one account as the password
for all accounts.
Group Name Similar to the login name issue, this test passes if the
password is not a group name derivative.
English Word This test passes if the spell program determines that the
password is not an English word. A penetrator then could
not search the online dictionary to find the password. The
spell program also has some built-in rules that go beyond
the actual online dictionary in determining what is a proper
word, and this routine takes advantage of that.
NOTES
Programs that use this routine must be compiled with -lsecurity.
FILES
/etc/passwd
System password file.
/etc/group
System group file.
RELATED INFORMATION
Functions: getpwent(3), getgrent(3).
Commands: spell(1).
|
Index for
Section 3 |
|
|
Alphabetical
listing for A |
|
 |
Top of
page |
|