Released new version passwdqc – a set of tools for controlling the complexity of passwords and passphrases, including the pam_passwdqc module, pwqcheck, pwqfilter (added in this release) and pwqgen for manual or script use, and the libpasswdqc library. Both systems with PAM (most Linux, FreeBSD, DragonFly BSD, Solaris, HP-UX) and non-PAM are supported (the passwordcheck interface is supported in OpenBSD, a binding is attached for using pwqcheck from PHP, there is a paid version for Windows , and programs and library can also be used on other systems).
Added support for external password filtering files compared to previous versions , including binaries, which are currently an implementation of the improved cuckoo filter . Such a filter is guaranteed not to let any of the forbidden passwords pass, but it can occasionally lead to false positives, the probability of which is negligible with the settings and algorithm used in passwdqc. Checking the password for the presence of a filter requires no more than two random read accesses from the disk, which is very fast and, as a rule, does not create excessive server load.
The pwqfilter program has been added to passwdqc to create and work with binary filters. It can create a filter both from the list of passwords themselves and from their MD4 or NTLM hashes. NTLM hash support allows you to import passwords from the HIBP (Pwned Passwords) list distributed in this form. A lot of work has been invested in optimizing pwqfilter in terms of speed, compactness of the resulting filters, and the level of false alarms. For example, creating a cuckoo filter with a 98% load factor from a 21 GiB (22 GB) file pwned-passwords-ntlm-ordered-by-hash-v7.txt with more than 613 million lines takes about 8 minutes on a Core i7-4770K processor … The resulting filter is 2.3 GiB (2.5 GB) and has a false positive rate of about 1 in 1.15 billion. With a lower target load factor, the filter can be created much faster and will have even lower false positive rates, but its size will be larger.
passwdqc very good copes not to pass weak passwords without using external files … Their use can make passwdqc even more efficient with little or no additional inconvenience to users, or it can relax other restrictions. Checking user-selected passwords for known leaks recommended NIST