[Linux-disciples] Password policies

[Stephen R Laniel]

The 'passwd' program performs *some* security checks against
proposed new passwords, but I've just discovered the 'john'
program, and it manages to crack at least some passwords
very quickly. The passwd(1) man page says that the security
checks vary from site to site, but I wonder: how might I
tweak the policy? Are these policies defined -- say, as a
series of regexes -- in a file somewhere?

Clearly, for instance, I'd want to use a large but
reasonable dictionary, and ensure that the proposed password
isn't in that dictionary (case-insensitively). Adding a
single digit to either end of a dictionary-word shouldn't
make the password valid. And so forth. In fact, this whole
paragraph seems like it could be encapsulated in a simple
function:

sub isValidPassword {
	foreach my $word (@dictionary) {
		if( $word =~ m/^[0-9]$word|$word[0-9]$/ ) {
			return 0;
		}
	}
	return 1;
}

or somesuch. Is there any way to get this kind of
flexibility?

After failing at permutations on the dictionary, I think
'john' goes into a brute-force search. I'm curious how well
it'll do against my shadow password file within a reasonable
time -- say, a few days. Is there any reason that passwd(1)
wouldn't use some ridiculously strong hash algorithm that
couldn't possibly be brute-forced within, say, a year? Are
there any times other than at login, and when the password
is changed, during which passwd(1) gets called?

And yes, I am RTFMing even as we speak: [1], [2], etc.

[1] - http://shorl.com/dymylynydrysta
[2] - http://shorl.com/huhojygutrefy

-- 
``HYPNOBASSET ENGAGING OCULAR DEFENSE SYSTEM
  TARGETING
  TARGET ENGAGED
  HELLO''
 -Jon Sung on The Dogblog, http://shorl.com/jeprerylotapri