Bug 865521

Summary: rfe: smaller, smarter cracklibs-dict by default
Product: [Fedora] Fedora Reporter: Matthew Miller <mattdm>
Component: cracklibAssignee: Tomas Mraz <tmraz>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: bugzilla, glen, nalin
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-12-20 15:07:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
common passwords list, CC-BY-SA 3.0 Mark Burnett (xato.net) none

Description Matthew Miller 2012-10-11 16:33:54 UTC 
9MB isn't gigantic, but I'd like to get the Fedora cloud image as small as possible. Hopefully, people will be using ssh keys and not passwords at all in the cloud anyway. Cracklib-dicts is in the dependency chain of, well, anything, and so shipping a minimal version is an easy way to reduce image size.

I know I'm responsible in part for the growth of this package, but times change. :)

Ideally, the big dictionary package would be installed by default, but a smaller version could also fill the dependency.
Comment 1 Fedora Admin XMLRPC Client 2013-06-10 16:17:38 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 2 Matthew Miller 2013-09-09 00:24:50 UTC 
I see that there is a "cracklib-small" already. Maybe that's the place to start? Alternately, there's this list http://xato.net/passwords/more-top-worst-passwords/#more-269 of the 10,000 most common passwords, which the researcher suggests are used by 98.8% (!) of users. That's even smaller than cracklib-small and may have a stronger positive impact.
Comment 3 Matthew Miller 2014-06-26 17:51:11 UTC 
Can we revisit this for F21?
Comment 4 Matthew Miller 2014-07-11 15:58:00 UTC 
Note that the top 10k list is licensed CC-BY-SA 3.0, with text as follows:

"You may use the Top 10,000 Passwords List, the Top Passwords Tag Cloud or any portion of this article (including commercial use) with attribution to Mark Burnett (xato.net)."
Comment 5 Matthew Miller 2015-07-22 16:32:42 UTC 
Original site seems down, but list is widely available. See for example https://github.com/typhoon2099/PasswordBannedList/blob/master/banned.list.

This could also be combined with https://github.com/first20hours/google-10000-english, and possibly similar for a few other languages, still yielding a much smaller overall dict.
Comment 6 Matthew Miller 2015-07-22 21:03:05 UTC 
Created attachment 1055018 [details]
common passwords list, CC-BY-SA 3.0 Mark Burnett (xato.net)
Comment 7 Matthew Miller 2015-07-23 19:30:37 UTC 
See https://fedorahosted.org/fesco/ticket/1455 -- I think that for the purposes of this ticket, simply subpackaging cracklib-small separately should be sufficient.

Right now, libpwquality and pam both directly require cracklib-dicts; I guess cracklib-dicts-small could provide this, and then cracklib itself could have "Recommends: cracklib-dicts"?
Comment 8 Tomas Mraz 2015-07-24 08:38:00 UTC 
I am afraid the dependency problem will have to be resolved differently. 

Currently even if we subpackaged the cracklib-dicts-small the file will not be usable without configuring explicit dictpath in pwquality.conf (or in case of pam_cracklib on its command line - however that is a legacy module and we can probably ignore it now).

We could probably change the hard Requires in pam and libpwquality to Recommends. However I am not sure whether that helps with the Cloud product - i.e. whether cloud images can ignore weak deps.
Comment 9 Matthew Miller 2015-07-24 13:48:05 UTC 
I noticed that you're adding "conf.d" support to libpwquality. Might it be possible for each dict subpackage to include a conf snippit enabling that dictionary?

The cloud images *can* ignore weak deps. Right now, Recommends aren't installed by default at all and need to be listed; in the future if this changes, we can always "-" them.
Comment 10 Matthew Miller 2016-10-27 14:53:10 UTC 
Is this fixed by #1323172?
Comment 11 Tomas Mraz 2016-10-31 08:50:35 UTC 
It basically depends on you whether you think the fix for bug 1323172 is sufficient for you.
Comment 12 Matthew Miller 2017-01-26 18:04:23 UTC 
I guess it is, although I think it would still be nice to ship the smaller dictionary as an alternative option, but whatever.
Comment 13 Matthew Miller 2018-05-07 10:18:37 UTC 
This is a 2013 article I'm just now reading, but I think it emphasizes the point
https://arstechnica.com/information-technology/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/

Attackers are now using terabyte+ wordlists. This makes our several-megabyte one mostly pointless. As of 2018, NIST still recommends using such a blacklist (see https://pages.nist.gov/800-63-3/sp800-63b.html), but I think instead of our multi-megabyte millions-of-entries list, we should *default* to a much smaller dictionary. This covers a) the recommendation and b) the most obvious human-guessable choices but keeps image size small.
Comment 14 Tomas Mraz 2018-12-20 15:07:58 UTC 
We are not going to pursue this RFE at this point. If there is interest in providing optional small cracklib dictionary feel free to provide PRs in Pagure.