turnkeylinux
[inithooks] Rather than adhoc rules, we should use cracklib to provide feedback on passwords
As noted by Key Turner in the forums there are some non-ideal scenarios with the way that we currently parse passwords and the (somewhat arbitrary/adhoc) rules that we apply.
The suggestion is that we leverage the cracklib library to check the password. There is a python module packaged in Debian which we could leverage within inithooks. We may still need to do our own password checking in some scenarios (some apps have their own password complexity checks and we'd need to match them) but generally I think we could run with cracklib checks.
I'm moving this to v17.0 for now. Also, I'm not sure if it's a good idea or not, but there is a (packaged) cracklib PAM plugin?!
https://pages.nist.gov/800-63-4/sp800-63b/passwords/#length
Password length is a primary factor in characterizing password strength [Strength] [Composition]. Passwords that are too short yield to brute-force attacks and dictionary attacks.
Make it 20 characters, remove the other requirements, and call it a day.
Unfortunately password checking being adhoc currently isn't a design decision of our own, the shared code has got a pretty wide variety of upstream software that it needs to support that have their own bizarre requirements (banned characters, maximum allowed passwords, etc.).
Sadly we don't have control over upstream's password requirements, and in some cases they too are beholden to upstream.
That doesn't mean it's not resolvable, but there just isn't a single rule that will work across the entire appliance library.
