acceptable_password(S-osr5)
acceptable_password --
determine if password is cryptic
Syntax
cc . . . -lprot
#include <sys/types.h>
#include <sys/security.h>
#include <sys/audit.h>
#include <prot.h>
int acceptable_password (word, stream)
char *word;
FILE *stream;
Description
This routine determines if the given password is reasonable;
that is, it
is very hard to deduce from a number of heuristic means.
The cleartext (plaintext) password is passed in as the argument
word and the second argument, stream,
is a file pointer to report failure-reason messages.
If this checking is to be silent, the second argument should
be a NULL file pointer so that no messages
will be output to the stream.
When acceptable_password
returns a 1, the password provided meets all the tests described below.
When it returns a 0, the password failed to meet at least one of the tests or
an internal error occurred.
The selectivity criteria for the password include but may not be limited
to the following four tests:
palindrome-
This test is passed if the word is not a palindrome.
(A palindrome is a word that is spelled the same backwards as forwards.)
Examples of palindromes that fail on this test are: mom, dad, noon,
redivider, radar.
Palindromes do not make good passwords because they reduce an
n character password to n/2 + 1 characters.
A penetrator knowing that palindromes were legal could use heuristics that could
deduce the password much more quickly than if they were excluded.
login name-
This test is passed if the password is not a system login name
or a closely related string.
Unsecure systems allow passwords to be the login name itself.
This is a fact known by many penetrators.
All login names are excluded because a user that is the owner of several
pseudo-user accounts may elect to use the login name of one account
as the password for all his accounts.
group name-
Similar to the login name issue, this test is passed if the password is not a
group name or a closely related string.
English word-
This test is passed if the
spell(C)
program determines that
the supplied password is not an English word so that
a penetrator cannot search the on-line dictionary to find the password.
The spell
program also has some built-in rules that go beyond the actual on-line
dictionary in determining what is a proper word which this routine
takes advantage of.
Return value
When a supplied password meets all of the criteria, the
acceptable_password returns a value of 1.
If the supplied password fails one of the tests or if an internal
error occurs, a value of 0 is returned by the routine.
Note
This routine works correctly only if set_auth_parameters
is called as the first item in
main( ).
Files
/etc/passwd
/etc/group
/usr/lib/spell/*
See also
spell(C),
getpwent(S-osr5),
getgrent(S-osr5)
Standards conformance
acceptable_password is not part of any currently supported standard;
it is an extension of AT&T System V provided by the Santa Cruz Operation.
© 2005 System Services (S-osr5)
SCO OpenServer Release 6.0.0 -- 02 June 2005