Bug 966524 - cracklib-check allows dictionary based passwords with simple modifications
cracklib-check allows dictionary based passwords with simple modifications
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: cracklib (Show other bugs)
5.9
Unspecified Unspecified
medium Severity high
: rc
: ---
Assigned To: Tomas Mraz
BaseOS QE Security Team
: FutureFeature
Depends On: 963769
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-23 08:13 EDT by Hubert Kario
Modified: 2013-06-11 07:58 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 963769
Environment:
Last Closed: 2013-06-11 07:58:29 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Hubert Kario 2013-05-23 08:13:04 EDT
+++ This bug was initially created as a clone of Bug #963769 +++

Description of problem:
When using simple English word list (from package words), cracklib-check doesn't recognize passwords with simple modifications as based on dictionary words.

Version-Release number of selected component (if applicable):
cracklib-2.8.16-4.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. create-cracklib-dict /usr/share/dict/words
2. echo "d.ncing" | cracklib-check
3. echo "d@ncing" | cracklib-check
4. echo "glo8ulin" | cracklib-check
5. echo "dancingdancing" | cracklib-check
6. echo "ancingd" | cracklib-check # "dancing" barrel-shifted by one letter
7. echo "1dancing1" | cracklib-check
8. echo "aca7alectic" | cracklib-check

Actual results:
d.ncing: OK
d@ncing: OK
glo8ulin: OK
dancingdancing: OK
ancingd: OK
1dancing1: OK
aca7alectic: OK

Expected results:
d.ncing: it is based on a dictionary word
d@ncing: it is based on a dictionary word
glo8ulin: it is based on a dictionary word
dancingdancing: it is based on a dictionary word
ancingd: it is based on a dictionary word
1dancing1: it is based on a dictionary word
aca7alectic: it is based on a dictionary word

Additional info:
Considering that passwords such as "-*!dancing,-=" are rejected, not rejecting much simpler changes/substitutions is unexpected.

As most of those modifications are present in standard rules used by John The Ripper they should be rejected by cracklib.

While some of those cases are introducing completely new tests, the list of missing leetspeak substitutions is quite glaring.

Proposed list of substitutions:
@ -> a
4 -> a
8 -> b (B)
3 -> e (E)
6 -> g
9 -> g
! -> i or l
1 -> i or l
$ -> s
5 -> s
7 -> t (T)
+ -> t
| -> i or l

--- Additional comment from Nalin Dahyabhai on 2013-05-17 15:04:04 EDT ---

These aren't integrated properly, but doing it in a way that wouldn't explode the destructors list would require redoing a few layers of logic.

--- Additional comment from Hubert Kario on 2013-05-20 04:42:42 EDT ---

Regarding patch in Comment #2: I don't know how the code later searches if the word is in wordlist or not, but I know that pam_cracklib does check if a password doesn't contain words as a substring of "passwordpassword". This finds not only repetitions but such simple barrel shifts like in the "ancingd" case.

Regarding patch in Comment #3: I'm not sure if I read the patch correctly, but the a -> . substitution was more to show that obfuscating a single character is enough to render cracklib useless, not an actual "l33t speak" substitution.
And second "I'm not sure if I read the patch correctly" is the 8 -> B substitution: doesn't cracklib do a case insensitive search over its wordlist?

--- Additional comment from Nalin Dahyabhai on 2013-05-20 15:57:13 EDT ---

(In reply to Hubert Kario from comment #4)
> Regarding patch in Comment #2: I don't know how the code later searches if
> the word is in wordlist or not, but I know that pam_cracklib does check if a
> password doesn't contain words as a substring of "passwordpassword". This
> finds not only repetitions but such simple barrel shifts like in the
> "ancingd" case.

The pam_cracklib module (and the cracklib python module, and apparently everything else that uses cracklib) implements additional logic beyond what cracklib does, so cracklib-check doesn't benefit from those efforts.

> Regarding patch in Comment #3: I'm not sure if I read the patch correctly,
> but the a -> . substitution was more to show that obfuscating a single
> character is enough to render cracklib useless, not an actual "l33t speak"
> substitution.
> And second "I'm not sure if I read the patch correctly" is the 8 -> B
> substitution: doesn't cracklib do a case insensitive search over its
> wordlist?

So it does.  That rule should be discarded from the patch, then.  As for the larger point, you're right, cracklib's doesn't catch everything.
Comment 1 RHEL Product and Program Management 2013-05-23 08:52:32 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Comment 2 Tomas Mraz 2013-06-11 07:58:29 EDT
This is not a feature suitable for RHEL-5.

Note You need to log in before you can comment on or make changes to this bug.