{Your Name} – {Your Student Number} – Network Scripting ICA 1

On Enforcing the Use of High Entropy Passwords in Linux

Systems
{Your Name}
Teesside University
{Your Email Address}
Abstract This paper is structured as follows: in
Section 2, we discuss related and previous
A common folk belief is that password
work on password quality, focusing on
entropy is a good indicator of password
password entropy; in Section 3, we list and
strength. However, there are studies that
discuss some password quality policies that we
challenge this view. In this paper, we discuss
identified in our literature review; in Section 4,
and investigate password entropy and its
we show how to encode some of these policies
relation to password strength. We show how
in Serenity; in Section 5 we conclude with a
we can enforce password entropy in Linux
summary and some final observations.
systems by encoding password composition
policies in Serenity, a domain-specific 2. Related Work
language for creating certified password
Even though it is widely believed that
composition policies.
password entropy is a good measure of
1. Introduction password strength, researchers have found that
policies requiring longer passwords with fewer
It is widely believed that password entropy
requirements can be more usable and, in some
is a good indicator of password strength:
cases, more secure than conventional policies.
higher entropy results in better passwords.
For example, this is supported by [ CITATION
However, research has shown that this is not
Sha14 \l 1033 ], who conducted an online
necessarily the case. In fact, [ CITATION
experiment with 8,143 participants to
MaW10 \l 1033 ] state that entropy cannot be
evaluated eight different policies. Their results
used as a quality indicator for passwords and
confirm that password policies requiring
propose a new password quality measure.
length lead to more usability, and in some
Other studies, such as the one performed by
cases more security, than those requiring only
[ CITATION Sha14 \l 1033 ] suggest that
a comprehensive mix of character classes and
password length alone is enough, because it
a dictionary check.
achieves a good balance between security and
usability. TODO:
In this short paper, we survey existing 1. Write a summary similar to the
research on password entropy and list some one above for the
password quality policies suggested in the reference[ CITATION MaW10 \l
literature. We show how we can enforce these 1033 ]. (10%)
policies in Linux systems with Serenity, a 2. Add one new reference and write a
domain-specific language (DSL) for creating summary of it. Use Word’s
certified password composition policies that reference manager! (10%)
follows from the work developed by
3. Password Composition Policies Focused
[ CITATION Fer17 \l 1033 ]. We also
on Entropy
compare Serenity with the current default
password quality mechanism available in most TODO:
Linux systems.
3. Here, you should describe in more
detail at least two (maximum of
four) password composition
policies that focus on entropy. As

Page 1 of 3
{Your Name} – {Your Student Number} – Network Scripting ICA 1
a starting point, look at the policy
mentioned in the conclusion of
[ CITATION MaW10 \l 1033 ]
and at the policies mentioned in
[ CITATION Sha14 \l 1033 ], for
example comprehensive8, basic12,
basic16, 2word12 etc. (20%)
3.1. Enforcing Password Entropy
Constraints on Linux Systems
In Linux systems, password composition
policies are enforced using PAM modules
[ CITATION Sam96 \l 1033 ] such as
pam_cracklib or pam_pwquality. In the
popular Linux distribution CentOS 7,
password composition policies are enforced by
the module pam_pwquality and can be
configured in the file at /etc/pam.d/system-
auth. An example of a password composition
policy is:
password requisite
pam_pwquality.so minclass=3
4.1 Comparison with pam_pwquality
This line configures the system so that…
TODO:
4. Finish the above sentence, by
explaining what this line does
(remember to read the man page
of pam_pwquality, as suggested in
Session 5). (5%)
5. Give 2 examples of passwords
accepted by this pam_pwquality
policy and 2 examples of
passwords rejected. (4%)
4. Encoding Password Composition Policies
in Serenity
In the previous section, we identified and
listed a few relevant password composition
5. Conclusion
policies. In this section, we show how they can
be encoded in Serenity.
TODO:
6. Here, you should show how some
of the policies mentioned in the
previous section can be encoded in
Serenity (at least 2 of them). For
example, a policy such as 2class8
would be encoded as:
Definition 2class8 :=
(enforce new_pwd (min
length 8) "New password
must be at least 8
characters long!") /*\
(enforce new_pwd (min
char_classes 2) "New
password must contain
at least 2 classes of
characters (from
lowercase, uppercase,
numbers and
symbols)!").
You can (and should!) use the
“pwdquality” virtual machine that
we used in Session 5 to test your
Serenity encodings. Edit the file
PasswordPolicy.v and use the
./serenity-activate command.
(20%)
TODO: Here, you should:
7. Briefly compare pam_pwquality
and Serenity. You can focus on the
example shown above (where
minclass=3) and use what you
have learnt in Session 5. (5%)
8. Given an example of another
Linux distribution that uses
pam_pwquality (or pam_cracklib)
as the main password composition
policy enforcement mechanism.
You will need to include a short
description of the distribution and
indicate who its target users are.
(5%)
TODO:
9. Summarise what you have learned
on password strength and
password entropy. (5%)
10. Mention other criteria besides
password entropy that can make
password-protected systems more
secure. (5%)
Page 2 of 3
{Your Name} – {Your Student Number} – Network Scripting ICA 1

11. Finish the paper with a list of

professional, ethical, and legal
compliance considerations that
need to be followed when
managing a password-protected
system. (6%)
References
Ferreira, J., Johnson, S., Mendes, A. & Brooke, P., 2017. Certified password quality—a case study
using Coq and Linux pluggable authentication modules. International Conference on Integrated
Formal Methods, pp. 407-421.
Ma, W., Campbell, J., Tran, D. & Kleeman, D., 2010. Password Entropy and Password Quality.
Fourth International Conference on Network and System Security, pp. 583-587.
Samar, V., 1996. Unified login with pluggable authentication modules (PAM). Proceedings of the 3rd
ACM conference on Computer and Communications Security, pp. 1-10.
Shay, R. et al., 2014. Can long passwords be secure and usable?. Proceedings of the 32nd annual
ACM conference on Human factors in computing systems, pp. 2927-2936.

TODO:
12. You should add at least 1 more
reference, but ideally you should
add 2 more. We suggest that you
use Google Scholar, but you can
also use plain old Google.
Remember that, as a Teesside
University student, you are
expected to use Harvard
Referencing. Use the Word
reference manager to make this
easy! (5%)

Page 3 of 3