passwdqc is a password/passphrase strength checking and policy enforcement tool set, including an optional PAM module (pam_passwdqc), command-line programs (pwqcheck and pwqgen), and a library (libpasswdqc). On systems with PAM, pam_passwdqc is normally invoked on password changes by programs such as passwd(1). It is capable of checking password or passphrase strength, enforcing a policy, and offering randomly-generated passphrases, with all of these features being optional and easily (re-)configurable. pwqcheck and pwqgen are standalone password/passphrase strength checking and random passphrase generator programs, respectively, and are usable from scripts. libpasswdqc is the underlying library, which may also be used from third-party programs.
|Tags||Security Cryptography Systems Administration|
|Operating Systems||POSIX Linux Solaris BSD FreeBSD HP-UX|
Release Notes: Detection of common character sequences has been improved (as tested on RockYou top 100k and top 1M). Generation of random passphrases with non-default settings has been improved: case toggling has been made optional, possible use of trailing single characters has been added, words are now separated with dashes when different separator characters are not in use, and the range of possible bit sizes of generated passphrases has been expanded. The code has been made more robust. Mac OS X support has been added. pwqcheck.php, a PHP wrapper function around the pwqcheck program, has been added.
Release Notes: Solaris-focused Makefile and documentation updates were done.
Release Notes: A password strength check has been adjusted to no longer subject certain passwords that start with a digit and/or end with a capital letter to an unintentionally stricter policy.
Release Notes: pwqcheck is now usable by OpenBSD and is able to check multiple passphrases at once. The random passphrases will now encode more entropy per separator and per word, increasing their default size to 47 bits. Substring matching will now partially discount rather than fully remove weak substrings, support leetspeak, and detect sequential digits, letters, and adjacent keys. The strength checking code will now detect and allow passphrases with non-ASCII (8-bit) characters in the words. The code has been made significantly faster. RPM packages can now be built out of the distribution tarballs.
Release Notes: Minor cleanups were done for the code and manual pages markup, such as for proper formatting on OpenBSD.