
		      ckpasswd - a password checker

			       Mike Williams
		   Dept. of Land and Survey Information
				New Zealand
		       <mikew@gopher.dosli.govt.nz>

			      21 October 1994


ckpasswd is a utility that will check the "safety" of a candidate password.
It is NOT (by itself) a passwd(1) replacement, as it does none of the work
of updating the /etc/passwd file, etc. (but see mpasswd, below).

ckpasswd is designed to be invoked by a passwd(1) replacement to check the
users candidate password.  The candidate password is read from standard
input.  If ckpasswd determines that the password is bad, it returns an
explanation of why on stdout.  The calling program is expected to reject
the candidate password, possibly displaying the explanation and prompting
the user for another password.  If the password is okay, ckpasswd just
exits with no output.

FEATURES
--------

  * Highly configurable.
  * Written in perl for easy customisation.
  * Does not need to run setuid to root.

  * Can access a variety of dictionary types to check for bad passwords:
      - plain ASCII sorted file
      - case-folded sorted file (sorted with "sort -f")
      - DBM database
      - "Bloom filter" hash file
      - ispell(1) dictionary

  * Checks for password which may be based on real-world information about
    the user, including:
      - dates
      - phone numbers
      - number plates
      - username
      - user's full name
      - user's initials

  * Checks for simple transformations of words, including:
      - mixing case
      - pre-pending or appending digits/whitespace/punctuation
      - doubling & reflecting, eg. "blahblah", "blahhalb"

  * Checks for
      - alphabetic sequences
      - QWERTY sequences
      - host names

WHY A SEPARATE PROGRAM?
-----------------------

Why put the password checking functionality in a separate program rather
than (say) a C library?  Well, the main reason is that I wanted to write
ckpasswd in perl, to make it more portable, flexible, powerful,
maintainable, etc etc.

However, I didn't want to implement the entire functionality of passwd(1)
in perl, for several reasons:

  * Implementing passwd(1) in perl may be less secure.  Security could be
    compromised if an attacker was able to alter any of:
      - the passwd(1) script itself;
      - perl libraries included by the script;
      - the perl binary.
    As passwd(1) must run as root, I was not prepared to take the risk.

  * On some systems (like mine) passwd(1) may need to do various things
    that are not easily accomplished in perl.  For instance:
      - update an alternate authorisation database (eg. shadow passwords);
      - update the NIS passwd database;
      - update a BIND/Hesiod passwd database.

From a security point of view, the risk is greatly reduced as ckpasswd need
not run set-uid to root.  In fact, the passwd(1) program could
seteuid("nobody") before invoking ckpasswd.  There is still the danger of
an attacker modifying ckpasswd to somehow record password choices, but this
is not any worse that the risk of same attacker replacing /bin/passwd!

Implementing ckpasswd as a standalone program also makes it easier to upgrade,
test and or invoke from other systems that need password checking
functionality. 

A SIMPLE PASSWD(1) WRAPPER
--------------------------

Included is a simple wrapper around /bin/passwd that will make use of
ckpasswd.  mpasswd opens a pseudo-terminal, where it invokes /bin/passwd.
Replies to the "new password" prompt are checked using ckpasswd before
being passed on to the /bin/passwd process.

VERSION 1.0
-----------

Note that this is the first time I've released ckpasswd.  You have been
warned!  Bug reports, suggestions and feedback are welcome, although I hope
that it won't need too much more development.

Enjoy!
Mike W.
