dacs_passwd - manage private DACS
This program is part of the DACS
web service is used to manage usernames and passwords
recognized by local_passwd_authenticate
, a DACS
authentication module. This utility serves a similar purpose for
command does for its mod_auth
 and mod_auth_dbm
These accounts and passwords are used only by local_passwd_authenticate
and are completely separate from any other accounts and passwords.
Much of the functionality of this program is also available as a DACS
, which operates on the same password files.
 provides the same functionality and more,
may be removed in a future release.
This web service enforces several requirements over and above those specified by
its access control rule. The USERNAME
argument must be syntactically
valid and lowercase. The user must already be authenticated. To change his
password, a (non-admin) user must enter his current password.
The default DACS
ACL restricts use of this web service to a DACS
administrator and to users who are setting the password for their own
account at the receiving jurisdiction. Administrators should
ensure that the ACL for dacs_passwd
is correct for their environment.
In addition to the standard CGI arguments
understands the following CGI arguments:
The following operations are supported:
but add or replace an entry for USERNAME
Delete the account for USERNAME
Disable the account for USERNAME
Enable the account for USERNAME
, if it exists, otherwise all usernames. A disabled account
is indicated by a '*' (which is not a valid character in a username).
Sets or resets a DACS
password for USERNAME
. The CONFIRM_NEW_PASSWORD
argument must also be
given and be identical to NEW_PASSWORD
. Unless the operation is
performed by a DACS
administrator (i.e., an ADMIN_IDENTITY
or disabled by the PASSWORD_OPS_NEED_PASSWORD
 directive, the
current password for USERNAME
must be given as PASSWORD
For users other than a DACS
administrator, a password must meet certain
requirements on its length and the character set from which it is comprised.
Note that these requirements are only significant at the time a password is
set or changed; existing passwords are unaffected by changes to the
configuration directives. Please refer to the PASSWORD_CONSTRAINTS
Users should be made aware of security issues related to passwords, including
better techniques for selecting passwords and keeping them private.
How to choose better passwords
Most users can benefit from adopting a method for password selection similar to
the one described in this proposal
. It suggests that users
construct site-specific passwords
from three separate components:
1.PIN-1, a short, random string
that is common to all of the user's passwords, kept secret, and
unlikely to be in any dictionary;
2.SITE, a string that is derived from
a site's name (or domain name) using some simple and easy-to-remember
procedure (e.g., using an obvious abbreviation or prefix, or the first four
letters or consonents, perhaps mixing upper and lower case); and
3.PIN-2, a short, site-specific
random string that is different for each of the user's passwords, and
not likely to be in any dictionary.
is memorized by the user. The other two components may be written
down but must be kept in a relatively secure location (such as in the user's
wallet or in a locked desk drawer).
The user forms passwords by combining these three components in any order that
is easy to remember, like:
Following that ordering, for the site www.example.net, a user might select the
password "exampleRB8s#i8", where "example" (component 2,
) is derived from the site's domain name, "RB8s" is a
random string used with this password only (component 3, PIN-2
"#i8" is the user's secret PIN (component 1, PIN-1
it is probably difficult to remember, the user might create a note with
"www.example.net RB8s" written on it but not PIN-1
For httpd.apache.org, the same user might select the password
For the site dacs.dss.ca, the user might select the password
Note that because the characters comprising PIN-1
must be acceptable in
all sites' passwords, and some sites accept a rather limited character set for
their passwords, it may be necessary to restrict PIN-1
alphanumeric alphabet. The other two components can be chosen from whatever
password characters are permitted by the particular site. As some sites
unfortunately allow only relatively short passwords, it is preferable to
rather than either of the other two components.
Provided the basic rules are followed, a user can strengthen the method by
making minor changes. As a simple example, one or more separating characters,
also from a restricted character set, might be added before and after the
In this example, a 'Z' is used as a separating character.
Since most people are not very good at it, the random strings should be chosen
using a good-quality random generator, such as the random()
% dacsexpr -e "random(string, 4, 'a-zA-Z0-9,./;@#')"
Or, on FreeBSD or macOS:
% jot -r -c 20 33 126 | rs -g 0 4
In addition to being difficult to guess because of their random components and
reasonably large character set, these passwords are different for each site;
should one password be compromised, the others are not immediately available
to an attacker. Similarly, the written strings cannot be immediately exploited
if they are stolen or copied. The strength of the method can be increased by
making either or both PIN components longer, chosen from a larger space of
characters, or by inserting one or more characters between components.
Software is available to help evaluate password strength (e.g., How Big is
), but avoid giving out the actual password you intend
Either PASSWD (the default) or SIMPLE, case
insensitively, to select between the item types passwds and simple,
respectively. The requested item type must be configured (see
The DACS username of interest.
By default, output is emitted in HTML. Several
varieties of XML output can be selected, however, using the FORMAT
argument (please refer to dacs(1) and
The program exits 0 if everything was fine, 1 if an error occurred.
Distributed Systems Software ( www.dss.ca
Copyright2003-2016 Distributed Systems Software. See the LICENSE
that accompanies the distribution for licensing information.
- standard CGI arguments
- this proposal
- How Big is Your Haystack?