Undeadly reader Alexander Peslyak (a.k.a. "Solar Designer") writes in with a note about his passwdqc password/passphrase strength checking and policy enforcement toolkit. Due to copious slacking by the undeadly editors, we're a bit late in getting this posted.

In April, I released version 1.2.0 of passwdqc. This version specifically improves support for OpenBSD, allowing for the pwqcheck program to be specified in OpenBSD's /etc/login.conf and invoked by the passwd(1) program. Previously, this was only supported via "unofficial" rework of older pam_passwdqc code by Damien Miller (djm@). Now it became official - immediately providing all improvements found in current and future versions of passwdqc (since OpenBSD support is to stay). Some recent improvements include fine-tuning of the checks on thousands of real-world cracked vs. presumed-strong passwords, support for 8-bit characters in passphrase words, and extra entropy encoded into randomly-generated passphrases. Not so recent improvements include separation of the "core" code into libpasswdqc, introduction of command-line programs (usable from scripts and now also by OpenBSD) and extra options to them, and making the PAM module optional (indeed, it's not built on OpenBSD, but is useful to have the same password policy elsewhere).

Long story short, to enable passwdqc on OpenBSD, build and install it, then insert the line ":passwordcheck=/usr/bin/pwqcheck -1:\" into the "default" section in /etc/login.conf. This will use passwdqc's default policy, which may be adjusted with additional command-line options (there's a man page documenting those).

Unfortunately, as of OpenBSD 4.6, there's no way to actually enforce the policy. If one enters a non-compliant password (or different ones) multiple times, passwd(1) will eventually give up and permit any password to be set. Hopefully, this shortcoming will get addressed in a later version.