9MB isn't gigantic, but I'd like to get the Fedora cloud image as small as possible. Hopefully, people will be using ssh keys and not passwords at all in the cloud anyway. Cracklib-dicts is in the dependency chain of, well, anything, and so shipping a minimal version is an easy way to reduce image size.
I know I'm responsible in part for the growth of this package, but times change. :)
Ideally, the big dictionary package would be installed by default, but a smaller version could also fill the dependency.
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
I see that there is a "cracklib-small" already. Maybe that's the place to start? Alternately, there's this list http://xato.net/passwords/more-top-worst-passwords/#more-269 of the 10,000 most common passwords, which the researcher suggests are used by 98.8% (!) of users. That's even smaller than cracklib-small and may have a stronger positive impact.
Can we revisit this for F21?
Note that the top 10k list is licensed CC-BY-SA 3.0, with text as follows:
"You may use the Top 10,000 Passwords List, the Top Passwords Tag Cloud or any portion of this article (including commercial use) with attribution to Mark Burnett (xato.net)."
Original site seems down, but list is widely available. See for example https://github.com/typhoon2099/PasswordBannedList/blob/master/banned.list.
This could also be combined with https://github.com/first20hours/google-10000-english, and possibly similar for a few other languages, still yielding a much smaller overall dict.
Created attachment 1055018 [details]
common passwords list, CC-BY-SA 3.0 Mark Burnett (xato.net)
See https://fedorahosted.org/fesco/ticket/1455 -- I think that for the purposes of this ticket, simply subpackaging cracklib-small separately should be sufficient.
Right now, libpwquality and pam both directly require cracklib-dicts; I guess cracklib-dicts-small could provide this, and then cracklib itself could have "Recommends: cracklib-dicts"?
I am afraid the dependency problem will have to be resolved differently.
Currently even if we subpackaged the cracklib-dicts-small the file will not be usable without configuring explicit dictpath in pwquality.conf (or in case of pam_cracklib on its command line - however that is a legacy module and we can probably ignore it now).
We could probably change the hard Requires in pam and libpwquality to Recommends. However I am not sure whether that helps with the Cloud product - i.e. whether cloud images can ignore weak deps.
I noticed that you're adding "conf.d" support to libpwquality. Might it be possible for each dict subpackage to include a conf snippit enabling that dictionary?
The cloud images *can* ignore weak deps. Right now, Recommends aren't installed by default at all and need to be listed; in the future if this changes, we can always "-" them.
Is this fixed by #1323172?
It basically depends on you whether you think the fix for bug 1323172 is sufficient for you.
I guess it is, although I think it would still be nice to ship the smaller dictionary as an alternative option, but whatever.
This is a 2013 article I'm just now reading, but I think it emphasizes the point
Attackers are now using terabyte+ wordlists. This makes our several-megabyte one mostly pointless. As of 2018, NIST still recommends using such a blacklist (see https://pages.nist.gov/800-63-3/sp800-63b.html), but I think instead of our multi-megabyte millions-of-entries list, we should *default* to a much smaller dictionary. This covers a) the recommendation and b) the most obvious human-guessable choices but keeps image size small.
We are not going to pursue this RFE at this point. If there is interest in providing optional small cracklib dictionary feel free to provide PRs in Pagure.