Bug 911196

Summary: libpwquality password length calculation issues
Product: [Fedora] Fedora Reporter: Michael Catanzaro <mcatanzaro+wrong-account-do-not-cc>
Component: libpwqualityAssignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 18CC: tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-18 16:01:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michael Catanzaro 2013-02-14 14:51:23 UTC 
Description of problem: libpwquality accepts passwords with fewer characters than its reported minimum length


Version-Release number of selected component (if applicable): 1.2.1-1.fc18


How reproducible: Always


Steps to Reproduce:
In System Settings (control-center 3.6.3-1.fc18), pretend to change the password on your user account. The password strength indicator determines whether libpwquality has accepted the password; however in this version of control-center the "change password" button sensitivity depends only on the reported minimum password length. Add characters to the new password one at a time and note both when libpwquality determines the password is good and when the "change password" button becomes sensitive.
  
Actual results: The password is reported to be of sufficient quality before the change password button becomes sensitive, indicating that the min password length has not been reached.


Expected results: Sensitivity changes when password is deemed acceptable.


Additional info: In the next version of System Settings, sensitivity will depend on reported password quality rather than min password length, and therefore THE HOW TO REPRODUCE ABOVE WILL NO LONGER INDICATE A PROBLEM although the bug may remain. See bgo#691907.

Two comments from there are relevant to this report:


Comment #1, Ondrej Holy:

"there are probably some bugs in the libpwquality,
because for passwords:

'a 1' -> The password is shorter than 6 characters
'a b' -> The password is shorter than 7 characters
'abc' -> The password is shorter than 8 characters

However minimal length should be 9 according:

pwquality_get_int_value (pwquality_default_settings (), PWQ_SETTING_MIN_LENGTH,
&value)

But e.g. 8 characters 'krutodemo' doesn't return any error..."


Comment #2, Matthias Clasen:

"If you look at check.c in libpwquality, around line 260, you'll find that it
doesn't actually return the minimal length, but something more like
min_length - required_digits - required_other. Clearly a bug in libpwquality.

By my count, krutodemo actually has 9 characters: kru tod emo"
Comment 1 Tomas Mraz 2013-02-18 16:01:30 UTC 
This is not a bug but an expected behavior. If you look at the pwquality.conf and pam_pwquality manpages you can see that the minlen parameter is not a pure length but something more complicated in case nonzero settings are set for [dluo]credit parameteres. This is also reflected in the error messages.