Cracklib + Safe


Today I was working on a flask web application that had a dependency on cracklib. This seemed like an oddly named and surprising inclusion and so I investigated. It turns out that it is a tool for checking passwords in order to

prevent users from choosing passwords that could be guessed by “crack” by filtering them out, at source

The application was using the python library in a very similar way to that described by Gary Wilson Jr. all the way back in 2006.

While this seems all well and good, the reason this even came to my attention was that cracklib doesn't play nice with pip because it expects the libcrack library to already be installed, resulting in errors like so:

    ./_cracklib.c:40:19: fatal error: crack.h: No such file or directory
     #include <crack.h>
    compilation terminated.
    error: command 'x86_64-linux-gnu-gcc' failed with exit status 1


At this point it seemed like a relatively simple piece of functionality to incur the complicated dependency I set out to find a drop in replacement. After a bit of searching this flask-wft issue lead me to Safe.

Though perhaps the checks are a bit less stringent than libcrack, the result is awesomely simple and easy to install (relative to the alternative). The only thing that really took a bit of time to wrap my head around was the returned result and how to get good error messages.

A final thought would be to just completely do away with any external dependency at all and just roll a custom password strength checker, for example length and character classes, but at the moment safe does the trick.