T6353: Add password strength check and basic validation

[oniko94]

Change summary

• Add functionality to check the non-default user password strength based on its entropy
• Refactor prompting for the non-default password to check for minimal length (4 characters) and display the weak password warnings

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Code style update (formatting, renaming)
• Refactoring (no functional changes)
• Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
• Other (please describe):

Related Task(s)

• https://vyos.dev/T6353

Related PR(s)

How to test / Smoketest result

• Built a .deb package using the official Docker image vyos/vyos-build:current
• Built an ISO image
• Boot up a virtual machine (qemu-system-x86_64, host: Linux Mint) from the live ISO image built in the previous step
• Run install image
• Check:
  • Password shorter than 4 characters
  • Password with only lowercase letters'
  • Password with uppercase, lowercase letters and digits
  • Made sure in all cases the actual output matched the expected output

Checklist:

• I have read the CONTRIBUTING document
• I have linked this PR to one or more Phabricator Task(s)
• I have run the components SMOKETESTS if applicable
• My commit headlines contain a valid Task id
• My change requires a change to the documentation
• I have updated the documentation accordingly

[github-actions]

❌
PR title does not match the required format

[sever-sever]

Smoketests fails https://github.com/vyos/vyos-1x/actions/runs/13205019283/job/36866670173?pr=4338#step:5:760

[dmbaturin]

There's a widely used tool for password strength checking — cracklib. Debian has Python bindings in the repos (python3-cracklib) and it includes a dictionary check in addition to entropy checks. The FascistCheck function from https://github.com/cracklib/cracklib/blob/main/src/python/cracklib.py may suffice (however distasteful its name is...).

The entropy function may still be useful because we may want to set a higher cutoff point than cracklib, but we certainly should also use something for a dictionary check to prevent passwords like 'Password999?' that technically have decent entropy but can be easily cracked with a dictionary attack.

The requirement for special characters have long been proven to be counterproductive and should be removed in any case. If cracklib likes a password but it's below our entropy threshold, we can tell the user to make it longer. Otherwise we can just use cracklib's error, since it gives it in the exception message:

>>> cracklib.FascistCheck('swordfish')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ValueError: it is based on a dictionary word

[dmbaturin]

The requirement to have special characters and digits is still widespread but security studies found that it's misguided because it can only improve password entropy by making it less memorable. Stringing multiple words together can create passwords with very high entropy that are still easy to remember.

See the NIST recommendation and the XKCD#936 for an illustration.

If we are to go with a custom implementation, I'd remove all requirements except length, since they will prevent high-entropy memorable passwords like the-magic-words-are-sqeamish-ossifrage (entropy in the set of keyboard-typeable characters about 250).

[oniko94]

@dmbaturin Thank you for your feedback! I've taken my time to read the docs for cracklib2 and decided that indeed it would be better to use it in our case. However, this means I would need to have several system packages present apart from the Python bindings - namely, the libcrack2, cracklib-runtime and wordlist. I have made the according changes in the vyos-build repo, a pull request incoming as soon as I finish testing locally.

Until my upcoming PR to vyos-build is reviewed and approved, I think it's better not to push any changes here so that I won't clutter your CI/CD pipeline with builds that are to fail in any case (since they lack required libraries).

P.S. I have also encountered a build issue while building the Docker container locally, which required a tiny patch in the Dockerfile as well. More details in the upcoming PR.

Best regards,
Sasha

[dmbaturin]

The lower boundary is incorrect: should be 59 (mis-pasted from the previous condition?)

[dmbaturin]

Why does the message say '4' when the requirement is 8?

[dmbaturin]

Using magic strings is a recipe for fragile code. Someone decides to change it to very strong (different case) and the check will break. The usual practice is to use constants, although here there's no need for constants for different strengths, either: just for the strength cutoff (if (strength < MIN_PASSWORD_ENTROPY) or similar).

[github-actions]

CI integration ❌ failed!

Details

CI logs

• CLI Smoketests (no interfaces) ❌ failed
• CLI Smoketests (interfaces only) ❌ failed
• Config tests ❌ failed
• RAID1 tests ❌ failed
• TPM tests ❌ failed

[oniko94]

vyos/vyos-build#903 @dmbaturin @sever-sever kindly review this PR - the changes added there block this one. Thanks in advance!