9631 – Broken password strength check

Bug 9631 - Broken password strength check

Summary: Broken password strength check

Status:	RESOLVED DUPLICATE of bug 9105

Alias:	None

Product:	Samba 4.0
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 major (vote)
Target Milestone:	---
Assignee:	Stefan Metzmacher
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-02-04 09:11 UTC by Björn Baumbach
Modified:	2013-02-04 09:51 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Björn Baumbach 2013-02-04 09:11:35 UTC

There are at least two different issues in the password strength checks.

1. Multi-byte characters like 'ö', '€', 'é' are counted by byte. One
   multi-byte charater counts more than one character.
   This breaks the password length check. Since the typical minimum
   length is 7, passwords like "öäüö" are approved by the length check,
   because the length is 8.

2. The password quality checker check_password_quality(const char *s)
   from lib/util/genrand.c is (probably) intended to check whether the
   password contains 3 of the following five categories:
     - uppercase characters
     - lower case characters
     - digits
     - other ascii characters (like @,-_^=*: ...)
     - characters which are out of typical ascii range (multi-byte?)

   But the check is broken. The function checks whether the password
   contents 3 or more characters of the first 4 categories _OR_ the
   number of characters, that are out of ascii range, is greater than
   the half length of the password.
   That means, that a password like "ö" is a complex password.
   The "ö" causes a numer of 2 non-ascii characters, which is greater
   than the half password length, which is 1.

   The code from the check_password_quality function:
   has_high > strlen(reals)/2
   Where has_high is number of _bytes_ that are non-ascii characters.

Microsoft composed the following rules (among others) for quality
checks. This is an abridgment from
http://msdn.microsoft.com/en-us/subscriptions/cc786468%28v=ws.10%29.aspx:

Passwords must contain characters from three of the following five
categories:

 - Uppercase characters of European languages (A through Z, with
   diacritic marks, Greek and Cyrillic characters)
 - Lowercase characters of European languages (a through z, sharp-s,
   with diacritic marks, Greek and Cyrillic characters)
 - Base 10 digits (0 through 9)
 - Nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/
 - Any Unicode character that is categorized as an alphabetic character
   but is not uppercase or lowercase. This includes Unicode characters
   from Asian languages.

Comment 1 Andrew Bartlett 2013-02-04 09:51:08 UTC

Thanks for the analysis.  I'm pretty sure this is a dup or extension of #9105 which I dropped the ball on.

Let's just have one bug for this, and finally get this fixed.

*** This bug has been marked as a duplicate of bug 9105 ***