# pwpolicy.conf -*- coding: utf-8 -*- # # This is an example for a pattern file used to validate passwords. # Passwords matching an entry in this file are considered weak and # will be rejected. # # The file is line based with comment lines beginning on the *first* # position with a '#' and followed by at least one white space. Empty # lines and lines with only white space are ignored. The other lines # may either be verbatim patterns and match as they are (trailing # spaces are ignored) or Perl compatible regular expressions (pcre) # indicated by a '/' in the first column and terminated by another '/' # or end of line. To reverse the meaning of a regular expression # prefix it with an exclamation mark like this: # # !/^.{6,}$/ # # This will reject a passphrase with less than 6 characters. All # comparisons are case insensitive; utf-8 encoding must be used. A # few processing instructions are supported: # # #+desc[:] A string describing the next pattern # # This is used to return meaningful error messages. To end a group of # pattern with the same description either a new "#+desc:" line may be # used or the instruction: # # #+nodesc # # To include a list of simple pattern use: # # #+search[:] FILENAME # # Note that this is a simple linear search and stops at the first # match. Comments are not allowed in that file. A line in the # dictionary may not be longer than 255 characters. # # To perform checks on the username/password combination, you should # use: # # #+username # # Currently this checks whether the password matches or is included in # the password. It may eventually be extended to further tests. ############################ # This is an example file where all lines are explicitly prefixed with # an additional "#" to comment out anything. # On your own decision you may activiate policies and modify them. # Be aware: By default any password is allowed. ############################ ## Let's start with a simple test ##+desc: Too short (at least 8 characters are required) #!/^.{8,}$/ # ## Check that the user name does not match the password. ## (The desc string is not used here.) ##+username # ##+desc: Only digits #/^[[:digit:]]+$/ # ##+desc: Not a mix of letters digits and control characters #!/[[:alpha:]]+/ #!/[[:digit:]]+/ #!/[[:punct:]]+/ # ##+desc: No mixed case #!/(?-i)([[:lower:]]+.*[[:upper:]]+)|([[:upper:]]+.*[[:lower:]]+)/ # ##+desc: Date string ## A limited check for ISO date strings #/^[012][0-9]{3}-?[012][0-9]-?[0123][0-9]$/ # ## Reject the usual metavariables. ##+desc: Meta variable #foo #bar #baz # ##+desc: Common test password #password #passwort #passphrase #mantra #test #abc #egal # ## Arbitrary strings ##+nodesc #12345678 #87654321 #qwerty #qwertyuiop #asdfghjkl #zxcvbnm #qwertzuiop #yxcvbnm #no-password #no password # ##+desc: Test string used by RTTY hams #the quick brown fox jumps over the lazy dogs back # ##+desc: German number plate #/^[A-Z]{1,3}\s*-\s*[A-Z]{1,2}\s*[0-9]+$/ # ##+desc: Dictionary word ##+search: /usr/share/dict/words ## Note that searching a large dictionary may take some time, it might ## be better to use an offline password auditing tool instead. # end of policy file