1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
|
\input texinfo @c -*-texinfo-*-
@c %**start of header
@setfilename passcheck.info
@settitle passcheck
@afourpaper
@documentencoding UTF-8
@documentlanguage en
@finalout
@c %**end of header
@dircategory Security
@direntry
* passcheck: (passcheck). Passphrase strength evaluator
@end direntry
@copying
Copyright @copyright{} 2013, 2015 Mattias Andrée
@quotation
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
any later version published by the Free Software Foundation; with no
Invariant Sections, with no Front-Cover Texts, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
``GNU Free Documentation License''.
@end quotation
@end copying
@ifnottex
@node Top
@top passcheck -- Passphrase strength evaluator
@insertcopying
@end ifnottex
@titlepage
@title passcheck
@subtitle Passphrase strength evaluator
@author by Mattias Andrée (maandree)
@page
@vskip 0pt plus 1filll
@insertcopying
@page
@end titlepage
@contents
@menu
* Overview:: Brief overview of @command{passcheck}.
* Invoking:: Executing @command{passcheck}.
* Factors:: Factors weighted in at evaulation.
* GNU Free Documentation License:: Copying and sharing this manual.
@end menu
@node Overview
@chapter Overview
@command{passcheck} is a tool that rates passphrases based on the strengths,
a highly rated passphrase is a string passphrase. You are recommended not to
use any passphrases rated below 300.
Passphrases are read from stdin and the rating followed by the passphrase
for each passphrases is written to stdout, and stderr is quited unless the
program files.
@node Invoking
@chapter Invoking
@command{passcheck} parses each line (must end exactly with one UNIX line break)
as a passphrase and puts the (positive integer) rating before the passphrase
separated with one blankspace.
You may want to pipe stdout to @command{sort -n} to get the strongest passphrase
at the bottom.
Use @option{--raw} or @option{-r} if the passphrase may contain a ESC character,
otherwise it is parsed as an ANSI escape sequence which is ignored in the rating
and allows you to use colours in the passphrases.
Server with vast amount of RAM memory may want to load the entire blacklist
into RAM and create a hash set of it. To do this, use @option{--waste-ram} or
@option{-w}. It is unreasonly to do this unless you have the process running
indefinitely and (somewhat) continuously feed passphrases.
@node Factors
@chapter Factors
@command{passcheck} weights in the following factors when evaluating
the strength of a passphrase:
@itemize @bullet
@item
The passphrase is not a known real passphrase.
Currently a list of 5189414 leaked passphrases is is used.
This list is created from several password leaks, name
lists, and dictionaries.
@item
The passphrase is not a word listed in a file
inside either ofthe directory @file{/usr/share/dict/}
abd @file{/usr/local/share/dict/}.
@item
The degree to which characters are mixed.
@item
The classes of used characters. For example non-ASCII
characters are better than ASCII chracters.
@item
The distance, on a QWERTY-keyboard, of successive keys.
@item
The length of the passphrase.
@end itemize
It has been argued that passphrases should not form grammatically
correct sentence, even if the sentence itself if nonsense. The argument
is that the majority of possible choices of words can be eliminated for
each word position, based on the previous word. However a counterargument
for this concern is that number of possible combinations, assuming the
sentence is nonsensical, large enough even if choices can be eliminated
using grammar. Currently, evaluation based on grammar is not made, so if
you believe grammatically correct sentence should be avoided, please
manually check that the passphrase you choose does not form a grammatically
correct sentence, and preferably, not even in part.
@node GNU Free Documentation License
@appendix GNU Free Documentation License
@include fdl.texinfo
@bye
|
