I recently contributed to the Cracklib open-source password-checking library. The library provides tools to analyze the relative strength of passwords provided to enable more secure logins for users. My contributed focused on reducing the frequency with which Cracklib incorrectly identifies passwords as weak.

The previous version of Cracklib used a fixed number (4) for MAXSTEP (a variable to identify repetitions), regardless of password length. I ran several tests based on randomly generated passwords of varying length. For longer lengths, many of these randomly generated passwords would be flagged for having too many related pairs. Based on the curve created by these false positives with respect to password length (see Figure 1), I came up with a linear fit and steepened it slightly. The result is a simple function based on password length that greatly reduces the occurrence of these false positives. This was an improvement over the previous version when long passwords were used and prevents a seriously difficulty people may have creating long passwords that meet cracklib requirements.

Figure 1: The curve of false-positives per password length using the previous version of Cracklib.

Figure 2: The varying size of the MAXSTEP variable and the new false-positive curve.