On Fri, Oct 18, 2019 at 7:01 AM Royce Williams <royce(a)techsolvency.com> wrote:
What original caught my attention was the logic behind
enforcing password quality in passwd.c during a specific era of BSD code, which exited
ambiguously in a double negative of sorts, where control characters were not disallowed
during password entry. (I'll try to dig up the source.)
Specifically, see the eras in which passwd.c looked something like this:
https://github.com/dank101/4.2BSD/blob/708b3890ac0c2f034f2840b5ee9125b3c83a…
while (c = *p++) {
if (c >= 'a' && c <= 'z')
flags |= 2;
else if (c >= 'A' && c <= 'Z')
flags |= 4;
else if (c >= '0' && c <= '9')
flags |= 1;
else
flags |= 8;
}
if (flags >= 7 && pwlen >= 4)
ok = 1;
I was intrigued that the "special characters" character set was
defined negatively, such that control characters would also count.
Royce