Cracklib

Introduction

Présentation du module

crack est un module Python qui propose une interface simple pour tester la solidité de mots de passes donnés.

Il utilise la bibliothèque standard cracklib2 pour regarder si les mots de passes sont basés sur des mots du dictionnaires, ou sont trop simples.

D'autres tests, comme la vérification qu'un nombre minimum de caractères ont été changés dans le remplacement d'un vieux mot de passe, ont été écrits, en prenant pour modèle la bibliothèque (réputée) PAM.

Ces tests, paramétrables, peuvent être très sévères.

Installation

Récupérer le fichier sur le site officiel.

Installer la dépendance cracklib2-dev :

  $ sudo aptitude install cracklib2-dev

Enfin, décompresser, puis installer le module :

  tar zxvf python-crack-0.5.1.tar.gz
  cd python-crack-0.5.1/
  ./configure
  make
  sudo make install

Utilisation

Tester un mot de passe

FascistCheck

Pour tester un mot de passe, on utilise la méthode FascistCheck

  >>> import crack
  >>> crack.FascistCheck("fdseqs")
  'fdseqs'

Quand aucune exception n'est levée, comme ci-dessus, c'est que le mot de passe proposé peut convenir.

VeryFascistCheck

La méthode VeryFascistCheck, comme son nom l'indique, est plus exigeante que la précédente : le mot de passe fdseqs ne passe plus...

  >>> crack.VeryFascistCheck("fdseqs")
  Traceback (most recent call last):
    File "<stdin>", line 1, in <module>
    File "/usr/local/lib/python2.5/site-packages/crack.py", line 191, in VeryFascistCheck
      raise ValueError, "is too simple"
  ValueError: is too simple

Différentes exceptions

Un mot de passe peut ne pas convenir pour diverses raisons. Nous donnons ci-dessous quelques exemples...

Pas assez de caractères différents

  >>> crack.FascistCheck("fdsess")
  Traceback (most recent call last):
    File "<stdin>", line 1, in <module>
  ValueError: it does not contain enough DIFFERENT characters

Trop court

On importe le module, puis on teste le mot de passe 1234 :

  >>> import crack

  >>> crack.FascistCheck("1234")
  Traceback (most recent call last):
    File "<stdin>", line 1, in <module>
  ValueError: it is too short

Une exception est levée : le mot de passe est trop court.

Trop simple

On essaye alors avec 123456 :

  >>> crack.FascistCheck("123456")
  Traceback (most recent call last):
    File "<stdin>", line 1, in <module>
  ValueError: it is too simplistic/systematic

Cette fois-ci, le mot de passe est trop simple, "systématique". Le mot de passe abcdefghilmn donnerait le même résultat, par exemple.

Mot type dictionnaire

Certains mots de passes sont trop proches de ce que l'on pourrait trouver dans un dictionnaire :

  >>> crack.FascistCheck("secret")
  Traceback (most recent call last):
    File "<stdin>", line 1, in ?
  ValueError: it is based on a dictionary word

Proposer un nouveau mot de passe

  >>> crack.VeryFascistCheck("secret", "scrt")
  Traceback (most recent call last):
    File "<stdin>", line 1, in ?
    File "/usr/lib/python2.2/site-packages/crack.py", line 187, in VeryFascistCheck
      raise ValueError, "is too similar to the old one"
  ValueError: is too similar to the old one

  >>> crack.VeryFascistCheck("secret", "cretse")
  Traceback (most recent call last):
    File "<stdin>", line 1, in ?
    File "/usr/lib/python2.2/site-packages/crack.py", line 185, in VeryFascistCheck
      raise ValueError, "is rotated"
  ValueError: is rotated

  >>> crack.FascistCheck("this is a really secure secret but do not use it!!")
  'this is a really secure secret but do not use it!!'

Interface détaillée

FascistCheck(passwd [, dictpath]): It maps the homonym cracklib function with few differences.

First, it always returns the given passwd. If it is found to be weak ValueError exception is raised with parameter set to the reason returned by cracklib's FascistCheck.
Second, dictpath parameter is optional. If it is not specified the default one, determined at build time, is used. See default_dictpath variable.

VeryFascistCheck(passwd [, old_passwd [, dictpath]]): It behaves like FascistCheck but performs also checks for palindrome and simple passwords.

If the optional old_password is provided additional checks for minimum distance between the two passwords, for similarity, for change of case only and for rotation are performed. Exception ValueError is raised in case of weak password.

dictpath parameter is used only for the inner call to FascistCheck, hence it has the same signification it has for FascistCheck.

default_dictpath: It is the default prefix to the cracklib dictionary database. Its value is determined at build time.

It is used automatically if dictpath parameter is not specified when calling FascistCheck or VeryFascistCheck.

diff_ok: This argument will change the default of 10 for the number of characters in the new password that must not be present in the old password. In addition, if 1/2 of the characters in the new password are different then the new password will be accepted anyway.
min_length: The minimum acceptable size for the new password (plus one if credits are not disabled which is the default). In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (digit, upper, lower and other). The default for this parameter is 9 which is good for a old style Unix password all of the same type of character but may be too low to exploit the added security of a md5 system. Note that there is a pair of length limits in cracklib itself, a "way too short" limit of 4 which is hard coded in and a defined limit of 6 that will be checked without reference to min_length. If you want to allow passwords as short as 5 characters you should either not use this module or recompile the crack library and then recompile this module.
dig_credit: (N >= 0) This is the maximum credit for having digits in the new password. If you have less than or N digits, each digit will count +1 towards meeting the current min_length value. The default for dig_credit is 1 which is the recommended value for min_length less than 10. (N < 0) This is the minimum number of digits that must be met for a new password.
up_credit: (N >= 0) This is the maximum credit for having upper case letters in the new password. If you have less than or N upper case letters each letter will count +1 towards meeting the current min_length value. The default for up_credit is 1 which is the recommended value for min_length less than 10. (N < 0) This is the minimum number of upper case letters that must be met for a new password.
low_credit: (N >= 0) This is the maximum credit for having lower case letters in the new password. If you have less than or N lower case letters, each letter will count +1 towards meeting the current min_length value. The default for low_credit is 1 which is the recommended value for min_length less than 10. (N < 0) This is the minimum number of lower case letters that must be met for a new password.
oth_credit: (N >= 0) This is the maximum credit for having other characters in the new password. If you have less than or N other characters, each character will count +1 towards meeting the current min_length value. The default for oth_credit is 1 which is the recommended value for min_length less than 10. (N < 0) This is the minimum number of other characters that must be met for a new password.

Un mot de sécurité

Python ne permet pas de gérer directement la mémoire, à la main. Les objets, tels que les chaînes de caractères (donc les mots de passe) sont vidés de la mémoire à l'aide d'un garbage collector géré par python, de manière automatique, et transparente pour le programmeur.

Cela signifie que les responsables du module cracklib n'ont pas la possibilité de nettoyer la mémoire après le test d'un quelconque mot de passe.

On peut considéré ce fait comme une faille de sécurité : des personnes ayant accès à la mémoire pourraient, éventuellement, y retrouver le mot de passe, au moins en partie.

Cette éventualité est à prendre en compte, et python peut s'avérer pas suffisament sûr, si vous ne pouvez garantir que nul n'a accès à la mémoire de votre ordinateur.

WikiMath

This is Wordpress NewsPaper Theme converted to PmWiki

Nov 24, 2024

Search