acceptable_password -- determine if password is cryptic


cc . . . -lprot

#include <sys/types.h>
#include <sys/security.h>
#include <sys/audit.h>
#include <prot.h>

int acceptable_password (word, stream) char *word; FILE *stream;


This routine determines if the given password is reasonable; that is, it is very hard to deduce from a number of heuristic means. The cleartext (plaintext) password is passed in as the argument word and the second argument, stream, is a file pointer to report failure-reason messages. If this checking is to be silent, the second argument should be a NULL file pointer so that no messages will be output to the stream.

When acceptable_password returns a 1, the password provided meets all the tests described below. When it returns a 0, the password failed to meet at least one of the tests or an internal error occurred.

The selectivity criteria for the password include but may not be limited to the following four tests:

This test is passed if the word is not a palindrome. (A palindrome is a word that is spelled the same backwards as forwards.) Examples of palindromes that fail on this test are: mom, dad, noon, redivider, radar. Palindromes do not make good passwords because they reduce an n character password to n/2 + 1 characters. A penetrator knowing that palindromes were legal could use heuristics that could deduce the password much more quickly than if they were excluded.

login name
This test is passed if the password is not a system login name or a closely related string. Unsecure systems allow passwords to be the login name itself. This is a fact known by many penetrators. All login names are excluded because a user that is the owner of several pseudo-user accounts may elect to use the login name of one account as the password for all his accounts.

group name
Similar to the login name issue, this test is passed if the password is not a group name or a closely related string.

English word
This test is passed if the spell(C) program determines that the supplied password is not an English word so that a penetrator cannot search the on-line dictionary to find the password. The spell program also has some built-in rules that go beyond the actual on-line dictionary in determining what is a proper word which this routine takes advantage of.

Return value

When a supplied password meets all of the criteria, the acceptable_password returns a value of 1. If the supplied password fails one of the tests or if an internal error occurs, a value of 0 is returned by the routine.


This routine works correctly only if set_auth_parameters is called as the first item in main( ).



See also

spell(C), getpwent(S-osr5), getgrent(S-osr5)

Standards conformance

acceptable_password is not part of any currently supported standard; it is an extension of AT&T System V provided by the Santa Cruz Operation.
© 2005 System Services (S-osr5)
SCO OpenServer Release 6.0.0 -- 02 June 2005