4 crack -- Interface Details

The crack module defines check functions and parameters used to test passwords' strength.

FascistCheck(passwd [, dictpath])

It maps the homonym cracklib function with few differences.

First, it always returns the given passwd. If it is found to be weak ValueError exception is raised with parameter set to the reason returned by cracklib's FascistCheck.

Second, dictpath parameter is optional. If it is not specified the default one, determined at build time, is used. See default_dictpath variable.

VeryFascistCheck(passwd [, old_passwd [, dictpath]])

It behaves like FascistCheck but performs also checks for palindrome and simple passwords.

If the optional old_password is provided additional checks for minimum distance between the two passwords, for similarity, for change of case only and for rotation are performed.

Exception ValueError is raised in case of weak password.

dictpath parameter is used only for the inner call to FascistCheck, hence it has the same signification it has for FascistCheck.

default_dictpath

It is the default prefix to the cracklib dictionary database. Its value is determined at build time.

It is used automatically if dictpath parameter is not specified when calling FascistCheck or VeryFascistCheck.

diff_ok

This argument will change the default of 10 for the number of characters in the new password that must not be present in the old password. In addition, if 1/2 of the characters in the new password are different then the new password will be accepted anyway.

min_length

The minimum acceptable size for the new password (plus one if credits are not disabled which is the default). In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (digit, upper, lower and other). The default for this parameter is 9 which is good for a old style Unix password all of the same type of character but may be too low to exploit the added security of a md5 system. Note that there is a pair of length limits in cracklib itself, a "way too short" limit of 4 which is hard coded in and a defined limit of 6 that will be checked without reference to min_length. If you want to allow passwords as short as 5 characters you should either not use this module or recompile the crack library and then recompile this module.

dig_credit

(N >= 0) This is the maximum credit for having digits in the new password. If you have less than or N digits, each digit will count +1 towards meeting the current min_length value. The default for dig_credit is 1 which is the recommended value for min_length less than 10. (N < 0) This is the minimum number of digits that must be met for a new password.

up_credit

(N >= 0) This is the maximum credit for having upper case letters in the new password. If you have less than or N upper case letters each letter will count +1 towards meeting the current min_length value. The default for up_credit is 1 which is the recommended value for min_length less than 10. (N < 0) This is the minimum number of upper case letters that must be met for a new password.

low_credit

(N >= 0) This is the maximum credit for having lower case letters in the new password. If you have less than or N lower case letters, each letter will count +1 towards meeting the current min_length value. The default for low_credit is 1 which is the recommended value for min_length less than 10. (N < 0) This is the minimum number of lower case letters that must be met for a new password.

oth_credit

(N >= 0) This is the maximum credit for having other characters in the new password. If you have less than or N other characters, each character will count +1 towards meeting the current min_length value. The default for oth_credit is 1 which is the recommended value for min_length less than 10. (N < 0) This is the minimum number of other characters that must be met for a new password.