New version of passwdqc 2.0.0 has been released, in which the main novelty is the support for external password filtering files, including binaries, which are currently an implementation of the improved cuckoo filter.
For those who do not know about passwdqc, you should know that this is a set of tools to control the complexity of passwords and passphrases, which includes the pam_passwdqc module, pwqcheck, pwqfilter (added in this release), and pwqgen for manual or scripted use, and the libpasswdqc library.
Both systems with PAM (most Linux, FreeBSD, DragonFly BSD, Solaris, HP-UX) and systems without PAM are supported (password check interface is supported in OpenBSD, link attached to use pwqcheck from PHP, there is a paid version for Windows and the programs and library can be used on other systems as well).
passwdqc does a very good job by not passing weak passwords even without using external files. Its use can further improve efficiency of passwdqc with little to no additional inconvenience to users, or may relax other restrictions.
NIST recommends this verification of selected passwords by the user against known leaks. And for the Openwall project, this is a potential opportunity to fund the development of passwdqc (and not only) through the sale of pre-made filters, without limiting users in the ability to create filters on their own using the published pwqfilter program. under a free license.
The program pwqfilter works with arbitrary strings and can be used in place of grep for many purposes beyond passwords and security. With this in mind, pwqfilter has several options similar to those found in grep, avoids using option names that conflict with grep’s, and uses the same return codes as grep.
Main new features of passwdqc 2.0.0
As mentioned at the beginning the main novelty of this new version is the support for external password filtering files and is that Compared to previous versions, this filter is guaranteed not to let any of the forbidden passwords pass, but it can occasionally lead to false positives, the probability of which is negligible with the settings and algorithm used in passwdqc.
Checking the password for the presence of a filter requires no more than two random read accesses from the disk, which is very fast and generally does not create excessive load on the server.
To create and work with binary filters, the pwqfilter program has been added to passwdqc, that allows you to create a filter from both the list of passwords and their MD4 or NTLM hashes.
Support for NTLM hashes allows importing passwords from the HIBP list (Pwned Passwords) distributed in this way. Much work has gone into optimizing pwqfilter in terms of speed, compactness of the resulting filters, and level of false alarms.
For example, create a cuckoo filter with a 98% load factor from a 21 GiB (22 GB) file pwned-passwords-ntlm-order-by-hash-v7.txt with more than 613 million lines it takes approximately 8 minutes on a Core i7-4770K processor.
The resulting filter is 2.3 GiB (2.5 GB) and has a false positive rate of approximately 1 in 1.15 billion. With a lower target load factor, the filter can be created much faster and will have even lower false positive rates, but the filter size will be larger.
Finally if you are interested in knowing more about it about this new released version you can check the details In the following link.
How to install Passwdqc and Ubuntu and derivatives?
For those who are interested in being able to install Passwdqc on their system, they can do so by following the instructions we share below.
The package as such is inside the Ubuntu repositories, Even though the new version has not yet been updated within the repositories, it is only a matter of waiting a few days.
To install it, we just have to open a terminal and type the following:
sudo apt-get install passwdqc