Password generator and strength of password check

Jamie,

I'd like to suggest 2 features, both of which I think require minor effort but would be useful to your userbase.

First, can you add a "button" to generate a new user password? The system will generate one during setup but I would like to be able to generate a new password on demand.

Second, we have some users who think password are mostly an inconvenience. So we quite often see passwords like, "1234", "123456", and my personal favorite for those extremely security conscious, "bob1". You get the point... Of course every time on of these accounts gets cracked we have to deal with blacklists etc to clear it up.

Can we have a "password check" feature that could, for example, at least check to make sure the password contains X CAPITAL letters, X numbers.

Ideally this is a process that could run daily (or whatever interval) and send an email to offenders letting them know they need to change their password or the account will be suspended (message should be configurable). The Cadillac version would automatically followup at a pre-determined interval (say you give them 2 days to do the update), then if not changed by the user it would automatically change the password to something more secure.

I hope that makes sense!

Thanks!
-- Craig

Status: 
Active

Comments

Howdy -- regarding your second question, take a peek at Webmin -> System -> Users and Groups -> Module Config -> Password Restrictions. Will that do what you're after?

andreycheck,

Hmm, didn't even know that existed!! Never stop learning. That is on the right track but to force X CAPs and X Numbers would I use "Perl regexp to check password against"? If so, how would that regex look, I'm not a regex person...

When is this check performed? Can it be scheduled? I would still like something that would "monitor" passwords, notify and change them if the client doesn't.

To force use of at least one capital letter and at least one number, you can use a regexp like :

.\*[A-Z].\*[0-9].\*|.\*[0-9].\*[A-Z].\*

OK, I'm guessing the minimum number of each case (capital letter, number) is one? Could I force 3 of each if desired?

Still wondering about the built in password restrictions already in VM:

When is this check performed? Can it be scheduled? I would still like something that would "monitor" passwords, notify and change them if the client doesn't.

Forcing 3 of each is possible, but would require a more complex regular expression. Or you could force 3 upper-case letters or numbers with a regexp like :

.\*[A-Z0-9].\*[A-Z0-9].\*[A-Z0-9].\*

The check is only done when the password is set or changed - there is no way to check existing passwords on schedule, due to the 1-way hash method used to store them on Unix systems.

The check is only done when the password is set or changed - there is no way to check existing passwords on schedule, due to the 1-way hash method used to store them on Unix systems.

The command

virtualmin list-users --domain domain.tld --multiline | grep "Unix username\\|Password"

will show a list of users and their passwords in plain text, couldn't we check against that?

Unfortunately, it doesn't sound like a feature to schedule password testing will work it's way into Webmin or Virtualmin anytime soon.

However, there are existing tools for doing such a thing, you could use one of those to assist.

An example of such a tool is cracklib-check.

Some examples of it's usage are available here:

http://www.cyberciti.biz/security/linux-password-strength-checker/

Using it, or something like it, you could develop a script to run regularly from cron to test passwords on your system.

andrycheck,

I'm still testing on this but have a question about Password Restrictions "External password-checking program". I'm trying to set this to use cracklib-check so each user created is checked. I can' t seem to find the right setup to get it working.

In the field I have echo $password | /usr/sbin/cracklib-check

There aren't any error messages, it just create a new user even though I'm using a password that should cause alarm (i.e. password = bob). What am I doing wrong?

Thanks!
-- Craig

Depending on the "Pass username and password to program" option, the password will be passed to that command as either input or command line params. The input mode is safer, so you should select that and set the command to :

tail -1 | /usr/sbin/cracklib-check

The tail -1 is needed because Webmin supplies both the username and password.

I set it to "input" and have the command set as you instructed but it still doesn't do anything that I can see. I can create a test account named fred with password fred and it let's me create it.

Does the cracklib-check command exit with a non-zero status if the password is weak? Or does it just print something?

Here's a sample from the command line:

[root@mail4 ~]# echo bob | cracklib-check
bob: it is WAY too short

What output do you get if you run :

echo bob | cracklib-check
echo $?
[root@mail4 ~]# echo bob | cracklib-check
bob: it is WAY too short
[root@mail4 ~]# echo $?
0

Ok, the issue is that Webmin expects the command to fail if the password is invalid - it doesn't look at the output. So you should set the command to :

tail -1 | /usr/sbin/cracklib-check | grep OK

It still let me create a user bob@domain.tld w/password "bob". It did not provide any warnings.

What output do you get if you run :

echo bob | /usr/sbin/cracklib-check | grep OK
echo $?
[root@mail4 ~]# echo bob | /usr/sbin/cracklib-check | grep OK
[root@mail4 ~]# echo $?
1

Are you changing the password in Webmin or Usermin when the cracklib check is incorrectly passed?

I'm setting up a new mail user through virtualmin.

Perhaps there is some other setting that is breaking this.

Could you post the /etc/webmin/useradmin/config file from your system?

display_max=400
home_style=0
gshadow_file=/etc/gshadow
passwd_same=0
random_password=0
passwd_stars=0
passwd_progmode=1
passwd_file=/etc/passwd
uid_calc=0
gid_calc=0
extra_real=0
secmode=0
gid_mode=1
shadow_file=/etc/shadow
display_mode=1
new_user_gid=0
uid_mode=1
group_file=/etc/group
passwd_dict=0
base_uid=500
base_gid=500
lock_string=*
new_user_group=1
md5=1
membox=0
selinux_con=user_u:object_r:user_home_dir_t
user_files=/etc/skel
delete_only=0
homedir_perms=0750
home_base=/home
last_show=0
sort_mode=0
default_other=1
empty_mode=0
post_command=
shells=fixed,passwd,shells
email_type=0
delete_root=0
skip_md5=0
from_files=0
alias_check=0
passwd_redesc=
passwd_re=
passwd_min=
passwd_mindays=
passwd_prog=tail -1 | /usr/sbin/cracklib-check | grep OK
dict_file=

I see the issue now - because the command I gave you is run with a temp file containing the username and password redirected to it as input, you need to change the passwd_prog line to :

passwd_prog=(tail -1 | /usr/sbin/cracklib-check | grep OK)

This still does not work, it let me create a user "mary" with password "1234".

I looked into this further, and found there is a Webmin bug that causes the validation command to not block a password if the command doesn't produce any output ... which is the case here.

The work-around till the next release is to change the line to :

passwd_prog=(tail -1 | /usr/sbin/cracklib-check | perl -ne 'print $_; exit(!/OK/)')

That worked!!!

Now, is there anything we can do about the "failure" message, it's a bit stark. Perhaps allow us to add some text to explain why it failed in a more friendly way to the customer?

What message do you get currently? It should be the output from the cracklib-check command.

I get the following
Failed to save mailbox : 123456: it is too simplistic/systematic

So yes, it does show the error. In reality however, they will see the word "failed to save mailbox" and stop reading, pick up the phone or open a ticket with us (we don't want support time tied up on something like this). That message can stay just the way it is, i just want to be able to include a short message explaining to them - Your password is too weak, try it again... blah blah blah.

Maybe on the Password Restrictions page you can add an area for a message when it fails that would show below the current default message. Let me know if you think that's possible.

Thanks!
-- Craig

How about if it said something like "Password validation failed : 123456: it is too simplistic/systematic"

Well that is better but it would be nice to communicate to them what the password requirements are (i.e. must contain 2 CAPITAL letters and 2 NUMBERS and 1 special character [~!@#$%^&*()_+] or something similar otherwise they are just shooting blind - and will still call support.

I could make the password validation message customizable by the admin? However, that may not help for passwords rejected by cracklib, as its validation rules are more complex.

Couldn't you just make a "on 'Password Restriction' error message" that would be appended to the system error message? (actually it should show below it, not be appended).

I really don't care WHY it's rejected but, if it is, I want to provide some direction so they can self-help to resolve it.

Ahh!! This does not work in Usermin!!!

When creating a new email account via virtualmin (using cracklib-check as discussed above) it works great! When changing a password from Usermin, they can enter anything they want and it succeeds (1234, dictionary words, even # of characters can be less that set minimum).

Please help - we are pushing hard to find weak password and pushing our users to update them. If there aren't proper restrictions (as we've already defined for new users) the problem will simply continue.

Thanks!
-- Craig

That's odd, as in a default Virtualmin install password changes via Usermin are subject to the same rules.

Can you post the contents of the /etc/usermin/changepass/config file from your system?

cmd_mode=1
passwd_new=0
passwd_same=0
mysql=0
passwd_cmd=/usr/libexec/webmin/virtual-server/change-password.pl
passwd_dict=0
passwd_min=0
passwd_re=
mailbox=1
md5=1

Hi guys,

Anything more on this? I would love to get this buttoned up so when users reset their passwords they meet our password requirements.

Thanks!
-- Craig

So one hack that will work is to set passwd_re= in that file to the regular expression you want to use to force safe passwords.

However, there is a Virtualmin bug here - it should be enforcing the same password rules. I will fix that in the next release.