Usermin does not seem to respect the option “prevent dictionary words” in “Change Password” module configs under Users & Groups or within Usermin module configs.
The accounts previously existed before the prevent dictionary words option was enabled, and are also accounts associated with an existing Virtualmin Virtual server.
After enabling the option to prevent dictionary words in passwords, I am still able to use any dictionary words that meet the password length requirements.
For the dictionary itself, I am using system packages wamerican and wbritish as these seemed sensible.
I have installed spell, ispell, aspell, and hunspell, as well as restarting both webmin and usermin services after each installation in an attempt to get this option working. I have verified the location of dictionary files and a word list at /usr/share/dict/words (this list is a linked file) and set the location via Users & Groups config to use the previously mentioned file to no avail. No errors are displayed or logged when passwords are changed. Passwords containing dictionary words, be they one word or concatenated with other characters, seem to completely ignore the option to disallow them is set.
Is there a limit on the word list size, or a format the list must adhere to?
Am I missing a setting somewhere else in Virtualmin or is this a bug?
After having a read of the code in usermin/changepass/md5-lib.pl I have discovered I am stupid.
Of the words I had tried which DID exist in the dictionary file, I tried these with other characters to meet the character limit. The words which I had attempted exceeding the character limit did not exist in the word list.
The dictionary password option only triggers for exact matches, and not passwords containing a dictionary word as a sub-string match.
I would like to suggest that these options get some help-text to clarify the match as exact. As the “system defaults” are hard-coded into the file, it would be nice to know where webmin/usermin are looking by default and that file paths with spaces will be treated as separate files if configured.
Also of note, the various *spell packages may not be required.
Disallowing dictionary words as substrings is kinda problematic.
It’s annoying, as it’s easy to accidentally include a three or four letter word in a good password…a good password is long, so lots of opportunities to stumble on a word, and that doesn’t make the password weak, as long as it’s long enough and varied enough.
And, it makes a pretty good password practice (very long, but memorable by virtue of being made of words) impossible. e.g. correct horse battery staple