1 /* vi: set sw=4 ts=4: */
3 * Mini weak password checker implementation for busybox
5 * Copyright (C) 2006 Tito Ragusa <farmatito@tiscali.it>
7 * Licensed under GPLv2 or later, see file LICENSE in this tarball for details.
11 1) should contain at least six characters (man passwd);
12 2) empty passwords are not permitted;
13 3) should contain a mix of four different types of characters
17 special characters such as !@#$%^&*,;".
18 This password types should not be permitted:
19 a) pure numbers: birthdates, social security number, license plate, phone numbers;
20 b) words and all letters only passwords (uppercase, lowercase or mixed)
21 as palindromes, consecutive or repetitive letters
22 or adjacent letters on your keyboard;
23 c) username, real name, company name or (e-mail?) address
24 in any form (as-is, reversed, capitalized, doubled, etc.).
25 (we can check only against username, gecos and hostname)
26 d) common and obvious letter-number replacements
27 (e.g. replace the letter O with number 0)
28 such as "M1cr0$0ft" or "P@ssw0rd" (CAVEAT: we cannot check for them
29 without the use of a dictionary).
31 For each missing type of characters an increase of password length is
34 If user is root we warn only.
36 CAVEAT: some older versions of crypt() truncates passwords to 8 chars,
37 so that aaaaaaaa1Q$ is equal to aaaaaaaa making it possible to fool
38 some of our checks. We don't test for this special case as newer versions
39 of crypt do not truncate passwords.
44 static int string_checker_helper(const char *p1, const char *p2) __attribute__ ((__pure__));
46 static int string_checker_helper(const char *p1, const char *p2)
48 /* as-is or capitalized */
49 if (strcasecmp(p1, p2) == 0
51 || strcasestr(p2, p1) != NULL
52 /* invert in case haystack is shorter than needle */
53 || strcasestr(p1, p2) != NULL)
58 static int string_checker(const char *p1, const char *p2)
62 int ret = string_checker_helper(p1, p2);
63 /* Make our own copy */
64 char *p = xstrdup(p1);
74 /* check reversed string */
75 ret |= string_checker_helper(p, p2);
77 memset(p, 0, strlen(p1));
87 static const char *obscure_msg(const char *old_p, const char *new_p, const struct passwd *pw)
93 /* Add 2 for each type of characters to the minlen of password */
94 int size = CONFIG_PASSWORD_MINLEN + 8;
99 if (!new_p || (length = strlen(new_p)) < CONFIG_PASSWORD_MINLEN)
102 /* no username as-is, as sub-string, reversed, capitalized, doubled */
103 if (string_checker(new_p, pw->pw_name)) {
104 return "similar to username";
106 /* no gecos as-is, as sub-string, reversed, capitalized, doubled */
107 if (*pw->pw_gecos && string_checker(new_p, pw->pw_gecos)) {
108 return "similar to gecos";
110 /* hostname as-is, as sub-string, reversed, capitalized, doubled */
111 hostname = safe_gethostname();
112 i = string_checker(new_p, hostname);
115 return "similar to hostname";
117 /* Should / Must contain a mix of: */
118 for (i = 0; i < length; i++) {
119 if (islower(new_p[i])) { /* a-z */
121 } else if (isupper(new_p[i])) { /* A-Z */
123 } else if (isdigit(new_p[i])) { /* 0-9 */
125 } else { /* special characters */
128 /* More than 50% similar characters ? */
132 p = strchr(p, new_p[i]);
138 break; /* move past the matched char if possible */
142 if (c >= (length / 2)) {
143 return "too many similar characters";
147 if (mixed & (1<<i)) size -= 2;
151 if (old_p && old_p[0] != '\0') {
152 /* check vs. old password */
153 if (string_checker(new_p, old_p)) {
154 return "similar to old password";
160 int FAST_FUNC obscure(const char *old, const char *newval, const struct passwd *pw)
164 msg = obscure_msg(old, newval, pw);
166 printf("Bad password: %s\n", msg);
projects / oweals / busybox.git / blob