[erlang-questions] Module For Enforcing Password Strength

Michael Santos <>
Tue Aug 17 03:24:28 CEST 2010


On Mon, Aug 16, 2010 at 09:05:23PM +0100, Gordon Guthrie wrote:
> Michael
> 
> Aye Caramba!
> 
> I will give it a go!
> 
> Would you expect cracklib to be pretty NIF-tastic - a stable code base, a
> quick turn-around so the VM doesn't stall?

Stable enough to have the same bugs for many years it seems ;) I
just discovered that cracklib isn't thread safe and can crash the VM.
Apparently this was a problem in the python lib as well. I've put a lock
around calls to cracklib for now.

Password checks should be quick but it's possible that if you are doing
a large number of sequential checks in parallel other processes may
be starved.

> Try it and see I suppose...
> 
> Gordon
> 
> On 16 August 2010 19:33, Michael Santos <> wrote:
> 
> > On Mon, Aug 16, 2010 at 05:52:48PM +0100, Gordon Guthrie wrote:
> > > Richard
> > >
> > > > cracklib. C bindings. Write your own wrapper.
> > >
> > > Kinda what I was hoping NOT to have to do :(
> > >
> > > Had a go at writing a C port driver a couple of years ago and didn't
> > really
> > > get anywhere...
> >
> > Just for fun, I wrote an interface to libcrack and put it here:
> >
> > http://github.com/msantos/cerck
> >
> > Adding support for checking the length and the presence of characters
> > besides those in the alphabet should be simple. I'll add them later
> > but, it'd probably be better to write all of this in pure Erlang.
> >
> > One thing to watch out for: libcrack calls exit() if the dictionnary
> > files don't exist, which will cause the vm to exit.
> >
> > > On 16 August 2010 11:20, Richard Andrews <> wrote:
> > >
> > > > cracklib. C bindings. Write your own wrapper.
> > > >
> > > > On Mon, Aug 16, 2010 at 6:34 PM, Gordon Guthrie <
> > >
> > > > wrote:
> > > > > Folks
> > > > >
> > > > > I was sitting fingers poised on the keyboard to write a module to
> > test
> > > > > password strength and I though, "haud on, somebody musta done
> > this"...
> > > > >
> > > > > Does anyone know of a library module that checks passwords for:
> > > > > * length
> > > > > * dictionary attack
> > > > > * contains numbers/punctuation
> > > > > * etc, etc
> > > > >
> > > > > Or does anyone have the bones of one that could be turned into an
> > open
> > > > > source library (I would take on the maintenance if that was too much
> > of a
> > > > > chore).
> > > > >
> > > > > Gordon
> > > > >
> > > > > --
> > > > > Gordon Guthrie
> > > > > CEO hypernumbers
> > > > >
> > > > > http://hypernumbers.com
> > > > > t: hypernumbers
> > > > > +44 7776 251669
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Gordon Guthrie
> > > CEO hypernumbers
> > >
> > > http://hypernumbers.com
> > > t: hypernumbers
> > > +44 7776 251669
> >
> > ________________________________________________________________
> > erlang-questions (at) erlang.org mailing list.
> > See http://www.erlang.org/faq.html
> > To unsubscribe; mailto:
> >
> >
> 
> 
> -- 
> Gordon Guthrie
> CEO hypernumbers
> 
> http://hypernumbers.com
> t: hypernumbers
> +44 7776 251669


More information about the erlang-questions mailing list