Subject: re: security/10206 - proposed solution (concept)
To: None <>
From: Elad Efrat <>
List: tech-security
Date: 08/17/2005 01:05:22

I've written concept code, still work in progress, that allows an
admin to set a password policy in /etc/passwd.conf.

The current version has the following options when setting a policy:
minlen, maxlen, upper, lower, digits, punct.

minlen/maxlen - define the min. and max. length of the password. Zero
means no limit.
upper/lower/digits/punct - define what character sets are required to
be in the password. The first word should be ``yes'' or ``no''; an
optional argument can be in the form of ``N,M'', requiring at least
N characters of that class, but not more than M characters. Zero means
no limit here too.

An example entry in /etc/passwd.conf for at least 8 character passwords
combining both upper/lower case and digits can be:

  minlen = 8
  upper = yes
  lower = yes
  digits = yes

The code is available from It can very easily
be extended to support more policies. (for example, dictionary lists, if
people still care :)



Elad Efrat
PGP Key ID: 0x666EB914