Today I was working on a flask web application that had a dependency on
cracklib. This seemed like an oddly named and surprising inclusion and so I
investigated. It turns out that it is a tool for checking passwords in order
prevent users from choosing passwords that could be guessed by “crack” by filtering them out, at source
While this seems all well and good, the reason this even came to my attention
cracklib doesn't play nice with
pip because it expects the libcrack
library to already be installed, resulting in errors like so:
./_cracklib.c:40:19: fatal error: crack.h: No such file or directory #include <crack.h> ^ compilation terminated. error: command 'x86_64-linux-gnu-gcc' failed with exit status 1
At this point it seemed like a relatively simple piece of functionality to incur the complicated dependency I set out to find a drop in replacement. After a bit of searching this flask-wft issue lead me to Safe.
Though perhaps the checks are a bit less stringent than libcrack, the result is awesomely simple and easy to install (relative to the alternative). The only thing that really took a bit of time to wrap my head around was the returned result and how to get good error messages.
A final thought would be to just completely do away with any external dependency at all and just roll a custom password strength checker, for example length and character classes, but at the moment safe does the trick.