911196 – libpwquality password length calculation issues

Bug 911196 - libpwquality password length calculation issues

Summary: libpwquality password length calculation issues

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	libpwquality
Sub Component:
Version:	18
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Tomas Mraz
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-02-14 14:51 UTC by Michael Catanzaro
Modified:	2013-02-18 16:01 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2013-02-18 16:01:30 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
GNOME Bugzilla	691907	0	None	None	None	Never

Description Michael Catanzaro 2013-02-14 14:51:23 UTC

Description of problem: libpwquality accepts passwords with fewer characters than its reported minimum length


Version-Release number of selected component (if applicable): 1.2.1-1.fc18


How reproducible: Always


Steps to Reproduce:
In System Settings (control-center 3.6.3-1.fc18), pretend to change the password on your user account. The password strength indicator determines whether libpwquality has accepted the password; however in this version of control-center the "change password" button sensitivity depends only on the reported minimum password length. Add characters to the new password one at a time and note both when libpwquality determines the password is good and when the "change password" button becomes sensitive.
  
Actual results: The password is reported to be of sufficient quality before the change password button becomes sensitive, indicating that the min password length has not been reached.


Expected results: Sensitivity changes when password is deemed acceptable.


Additional info: In the next version of System Settings, sensitivity will depend on reported password quality rather than min password length, and therefore THE HOW TO REPRODUCE ABOVE WILL NO LONGER INDICATE A PROBLEM although the bug may remain. See bgo#691907.

Two comments from there are relevant to this report:


Comment #1, Ondrej Holy:

"there are probably some bugs in the libpwquality,
because for passwords:

'a 1' -> The password is shorter than 6 characters
'a b' -> The password is shorter than 7 characters
'abc' -> The password is shorter than 8 characters

However minimal length should be 9 according:

pwquality_get_int_value (pwquality_default_settings (), PWQ_SETTING_MIN_LENGTH,
&value)

But e.g. 8 characters 'krutodemo' doesn't return any error..."


Comment #2, Matthias Clasen:

"If you look at check.c in libpwquality, around line 260, you'll find that it
doesn't actually return the minimal length, but something more like
min_length - required_digits - required_other. Clearly a bug in libpwquality.

By my count, krutodemo actually has 9 characters: kru tod emo"

Comment 1 Tomas Mraz 2013-02-18 16:01:30 UTC

This is not a bug but an expected behavior. If you look at the pwquality.conf and pam_pwquality manpages you can see that the minlen parameter is not a pure length but something more complicated in case nonzero settings are set for [dluo]credit parameteres. This is also reflected in the error messages.

Note You need to log in before you can comment on or make changes to this bug.