Glenn Johnson wrote:
> I have set up the password strength checking system using
> pam_passwdqc.so, set in /etc/pam.d/passwd. I have also set up password
> expiration.
>
> When a user issues the 'passwd' command, the password strength checking
> module works as expected. When a user logs in via the console after the
> password expiry time has passed, the login program prompts for a new
> password before the session begins. However, this password change has
> no strength check at all. Is there some other change I need to make to
> may pam configuration?


"Posted for someone who wishes to remain anyonyous":
----
I have this same problem.

With password strength checking in place, it drastically reduces
the search space that I need to cover in order to perform a brute
force attack, by disallowing a large portion of the space I would
otherwise need to pay attention to searching.

Without the strength checking on the password change, I have to
reexpand my search space to the entire search space, and it takes
a lot longer to crack passwords.

Please put a uniform "strength checking" algorithm in everywhere...

Thanks,
A. Hacker
----

8-) 8-).

-- Terry
_______________________________________________
freebsd-chat@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-chat
To unsubscribe, send any mail to "freebsd-chat-unsubscribe@freebsd.org"