Bug 865521 - rfe: smaller, smarter cracklibs-dict by default
Summary: rfe: smaller, smarter cracklibs-dict by default
Alias: None
Product: Fedora
Classification: Fedora
Component: cracklib
Version: rawhide
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2012-10-11 16:33 UTC by Matthew Miller
Modified: 2018-12-20 15:07 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2018-12-20 15:07:58 UTC
Type: Bug

Attachments (Terms of Use)
common passwords list, CC-BY-SA 3.0 Mark Burnett (xato.net) (71.31 KB, text/plain)
2015-07-22 21:03 UTC, Matthew Miller
no flags Details

Description Matthew Miller 2012-10-11 16:33:54 UTC
9MB isn't gigantic, but I'd like to get the Fedora cloud image as small as possible. Hopefully, people will be using ssh keys and not passwords at all in the cloud anyway. Cracklib-dicts is in the dependency chain of, well, anything, and so shipping a minimal version is an easy way to reduce image size.

I know I'm responsible in part for the growth of this package, but times change. :)

Ideally, the big dictionary package would be installed by default, but a smaller version could also fill the dependency.

Comment 1 Fedora Admin XMLRPC Client 2013-06-10 16:17:38 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 2 Matthew Miller 2013-09-09 00:24:50 UTC
I see that there is a "cracklib-small" already. Maybe that's the place to start? Alternately, there's this list http://xato.net/passwords/more-top-worst-passwords/#more-269 of the 10,000 most common passwords, which the researcher suggests are used by 98.8% (!) of users. That's even smaller than cracklib-small and may have a stronger positive impact.

Comment 3 Matthew Miller 2014-06-26 17:51:11 UTC
Can we revisit this for F21?

Comment 4 Matthew Miller 2014-07-11 15:58:00 UTC
Note that the top 10k list is licensed CC-BY-SA 3.0, with text as follows:

"You may use the Top 10,000 Passwords List, the Top Passwords Tag Cloud or any portion of this article (including commercial use) with attribution to Mark Burnett (xato.net)."

Comment 5 Matthew Miller 2015-07-22 16:32:42 UTC
Original site seems down, but list is widely available. See for example https://github.com/typhoon2099/PasswordBannedList/blob/master/banned.list.

This could also be combined with https://github.com/first20hours/google-10000-english, and possibly similar for a few other languages, still yielding a much smaller overall dict.

Comment 6 Matthew Miller 2015-07-22 21:03:05 UTC
Created attachment 1055018 [details]
common passwords list, CC-BY-SA 3.0 Mark Burnett (xato.net)

Comment 7 Matthew Miller 2015-07-23 19:30:37 UTC
See https://fedorahosted.org/fesco/ticket/1455 -- I think that for the purposes of this ticket, simply subpackaging cracklib-small separately should be sufficient.

Right now, libpwquality and pam both directly require cracklib-dicts; I guess cracklib-dicts-small could provide this, and then cracklib itself could have "Recommends: cracklib-dicts"?

Comment 8 Tomas Mraz 2015-07-24 08:38:00 UTC
I am afraid the dependency problem will have to be resolved differently. 

Currently even if we subpackaged the cracklib-dicts-small the file will not be usable without configuring explicit dictpath in pwquality.conf (or in case of pam_cracklib on its command line - however that is a legacy module and we can probably ignore it now).

We could probably change the hard Requires in pam and libpwquality to Recommends. However I am not sure whether that helps with the Cloud product - i.e. whether cloud images can ignore weak deps.

Comment 9 Matthew Miller 2015-07-24 13:48:05 UTC
I noticed that you're adding "conf.d" support to libpwquality. Might it be possible for each dict subpackage to include a conf snippit enabling that dictionary?

The cloud images *can* ignore weak deps. Right now, Recommends aren't installed by default at all and need to be listed; in the future if this changes, we can always "-" them.

Comment 10 Matthew Miller 2016-10-27 14:53:10 UTC
Is this fixed by #1323172?

Comment 11 Tomas Mraz 2016-10-31 08:50:35 UTC
It basically depends on you whether you think the fix for bug 1323172 is sufficient for you.

Comment 12 Matthew Miller 2017-01-26 18:04:23 UTC
I guess it is, although I think it would still be nice to ship the smaller dictionary as an alternative option, but whatever.

Comment 13 Matthew Miller 2018-05-07 10:18:37 UTC
This is a 2013 article I'm just now reading, but I think it emphasizes the point

Attackers are now using terabyte+ wordlists. This makes our several-megabyte one mostly pointless. As of 2018, NIST still recommends using such a blacklist (see https://pages.nist.gov/800-63-3/sp800-63b.html), but I think instead of our multi-megabyte millions-of-entries list, we should *default* to a much smaller dictionary. This covers a) the recommendation and b) the most obvious human-guessable choices but keeps image size small.

Comment 14 Tomas Mraz 2018-12-20 15:07:58 UTC
We are not going to pursue this RFE at this point. If there is interest in providing optional small cracklib dictionary feel free to provide PRs in Pagure.

Note You need to log in before you can comment on or make changes to this bug.