Even if libpam-cracklib installed, lightdm accepts too short password.
This might be a security issue because user can ignore password policy defined by root.
How to reproduce:
1. install libpam-cracklib
2. create "user1" with password "foo"
3. expire user1's password by root
$ sudo passwd -e user1
4. try to login as user1 on lightdm with password "foo"
5. get "You are required to change password" message
and be prompted to input new password
Expected results:
if you input too short password like "bar" in the box,
then lightdm rejects it and re-prompt to type stronger password.
Actual results:
if you input too short password like "bar" in the box twice,
then lightdm accept it and change password with too short one
although saying that "BAD PASSWORD: it is WAY too short" and "BAD PASSWORD: is too simple"
NOTE:
passwd command with user privilege, properly reject too short password like below:
$ passwd
(current) UNIX password: #<- type "foo
New password: #<- type "bar"
BAD PASSWORD: it is WAY too short
New password: #<- type "bar"
BAD PASSWORD: it is WAY too short
New password: #<- type "bar"
BAD PASSWORD: it is WAY too short
passwd: Have exhausted maximum number of retries for service
passwd: password unchanged
Changing password for user1.
Even if libpam-cracklib installed, lightdm accepts too short password.
This might be a security issue because user can ignore password policy defined by root.
How to reproduce:
1. install libpam-cracklib
2. create "user1" with password "foo"
3. expire user1's password by root
$ sudo passwd -e user1
4. try to login as user1 on lightdm with password "foo"
5. get "You are required to change password" message
and be prompted to input new password
Expected results:
if you input too short password like "bar" in the box,
then lightdm rejects it and re-prompt to type stronger password.
Actual results:
if you input too short password like "bar" in the box twice,
then lightdm accept it and change password with too short one
although saying that "BAD PASSWORD: it is WAY too short" and "BAD PASSWORD: is too simple"
NOTE:
passwd command with user privilege, properly reject too short password like below:
$ passwd
(current) UNIX password: #<- type "foo
New password: #<- type "bar"
BAD PASSWORD: it is WAY too short
New password: #<- type "bar"
BAD PASSWORD: it is WAY too short
New password: #<- type "bar"
BAD PASSWORD: it is WAY too short
passwd: Have exhausted maximum number of retries for service
passwd: password unchanged
Changing password for user1.
ProblemType: Bug ature: Ubuntu 3.8.0-6.13-generic 3.8.0-rc7 ubuntu session= unity-greeter DIR=<set>
DistroRelease: Ubuntu 13.04
Package: lightdm 1.4.0-0ubuntu4
ProcVersionSign
Uname: Linux 3.8.0-6-generic x86_64
ApportVersion: 2.8-0ubuntu4
Architecture: amd64
CasperVersion: 1.330
Date: Sun Feb 17 16:26:19 2013
LightdmConfig:
[SeatDefaults]
user-session=
greeter-
LiveMediaBuild: Ubuntu 13.04 "Raring Ringtail" - Alpha amd64 (20130217)
MarkForUpload: True
ProcEnviron:
TERM=linux
PATH=(custom, no user)
XDG_RUNTIME_
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: lightdm
UpgradeStatus: No upgrade log present (probably fresh install)