Index Index for
Section 3
Index Alphabetical
listing for A
Bottom of page Bottom of
page		 

acceptable_password(3)


NAME

  acceptable_password - Determines if a password meets deduction requirements
  (Enhanced Security)


SYNOPSIS

  int acceptable_password(
	  char *word,
	  FILE *stream );


LIBRARY

  Enhanced Security Library (libsecurity)


PARAMETERS

  word
      Points to the suggested password.

  stream
      Points to the stream to write diagnostics into.


DESCRIPTION

  The acceptable_password() function determines if the given password is
  difficult to deduce from well known, password-guessing heuristics. The
  cleartext (plaintext) password is passed as the first argument, and the
  file pointer of the stream that is used to report failure reasons is the
  second argument.  If this checking is to be silent, the second argument
  should be a null file pointer.

  When the acceptable_password() function returns a value of 1, the password
  provided meets all the tests listed in the following text. When it returns
  a value of 0 (zero), the password failed to meet at least one of the tests.

  The selectivity criteria for the password include but cannot be limited to
  the following four tests:

  Palindrome
      This test passes if the word is not a palindrome. (A palindrome is a
      word that is spelled the same backwards as it is forwards.) Examples of
      palindromes that fail this test are mom, dad, noon, redivider, radar.
      Palindromes do not make good passwords because they reduce an n
      character password to n/2 + 1 characters. A penetrator knowing that
      palindromes were legal could use heuristics that could deduce the
      password much more quickly than if they were excluded.

  Login Name
      This test passes if the password is not a derivative of a login name
      for the system. Many insecure systems allow passwords to be the login
      name itself. This is a fact known by many penetrators.  All login names
      are excluded because a user that is the owner of several pseudouser
      accounts can elect to use the login name of one account as the password
      for all accounts.

  Group Name
      Similar to the login name issue, this test passes if the password is
      not a group name derivative.

  English Word
      This test passes if the spell program determines that the password is
      not an English word.  A penetrator then could not search the online
      dictionary to find the password.	The spell program also has some
      built-in rules that go beyond the actual online dictionary in
      determining what is a proper word, and this routine takes advantage of
      that.


NOTES

  Programs that use this routine must be compiled with -lsecurity.


FILES

  /etc/passwd
      System password file.

  /etc/group
      System group file.


SEE ALSO

  Commands: spell(1)

  Functions: getpwent(3), getgrent(3)

Index Index for
Section 3
Index Alphabetical
listing for A
Top of page Top of
page