Arthur Fuller
fuller.artful at gmail.com
Sun Jul 22 20:59:05 CDT 2012
I lifted the following snippet from nixCraft:
Granted, it's intended for Linux, but I think most of us have a Linux VM
handy, if for nothing else but occasional experimentation You can always
flip to Linux to test out your various passwords:
HowTo: Linux Check Password Strength With Cracklib-check
Command<http://www.cyberciti.biz/security/linux-password-strength-checker/>
Using the same password on different servers allows attackers to access
your accounts if cracker manage to steal your password from a less secure
server. This is true for online website accounts too. So solution is to
create unique passwords for server accounts like your email, sftp and ssh
accounts. General guideline to create a strong and unique password is as
follows:
1. Create a password with mix of numbers, special symbols, and alphabets.
2. Make sure your password is hard to guess. You can use tool such as
makepasswd <http://www.cyberciti.biz/faq/generating-random-password/> to
create hard to guess password.
3. Do not use simple words like "password", "123456", "123abc" or
"qwerty".
4. Use a unique password for all your server accounts.
5. A minimum password length of 12 to 14 characters should be used. See
how to configure CentOS / RHEL / Fedora Linux based
server<http://www.cyberciti.biz/faq/rhel-fedora-centos-linux-password-quality-control/>
password
quality requirements.
6. Generating passwords randomly where feasible. You can do this with a
simple shell
script<http://www.cyberciti.biz/faq/linux-random-password-generator/>
function.
7. If possible use two-factor authentication.
8. Use pam_crack to ensure strong
passwords<http://www.cyberciti.biz/tips/linux-check-passwords-against-a-dictionary-attack.html>
and
to check passwords against a dictionary attack.
But, how do you test the effectiveness of a password in resisting guessing
and brute-force attacks under Linux? The answer is simple use
cracklib-check command.
Say hello to cracklib-check
This command takes a list of passwords from keyboard
(stdin<http://bash.cyberciti.biz/guide/Input_and_Output>)
and checks them using libcrack2. The idea is simple: try to prevent users
from choosing passwords that could be guessed by "crack" by filtering them
out, at source.
Examples
Test a simple password like "password", enter:
$ echo "password" | cracklib-check
Sample outputs:
password: it is based on a dictionary word
Try sequential patterns such as "abc123456":
$ echo "abc123456" | cracklib-check
Sample outputs:
abc123456: it is too simplistic/systematic
Try a password with a mix of letters, numbers, and symbols:
$ echo 'i1oVe|DiZza' | cracklib-check
Sample outputs:
i1oVe|DiZza: OK
The above password increases the difficulty of guessing or cracking your
password. I used a random phrase (easy to remember) "I Love Pizza" and
inserted random characters to create hard a strong password - "i1oVe|DiZza".
Putting it all together
#!/bin/bash# A sample shell script to add user to the system# Check
password for strength # Written by Vivek Gite under GPL v2.x+#
----------------------------------------------read -p "Enter username
: " userread -sp "Enter password : " passwordechoecho "Tesing password
strength..."echoresult="$(cracklib-check <<<"$password")"# okay awk is
bad choice but this is a demo okay="$(awk -F': ' '{ print $2}'
<<<"$result")"if [[ "$okay" == "OK" ]]then
echo "Adding a user account please wait..."
/sbin/useradd -m -s /bin/bash $user
echo "$user:$password" | /sbin/chpasswdelse
echo "Your password was rejected - $result"
echo "Try again."fi
Hope this helps someone.
--
Arthur
Cell: 647.710.1314
Prediction is difficult, especially of the future.
-- Niels Bohr