DOKK / manpages / debian 12 / passwdqc / pwqfilter.1.en
PWQFILTER(1) General Commands Manual PWQFILTER(1)

pwqfilterManage binary passphrase filter files

pwqfilter [options]

The pwqfilter program searches, creates, or updates binary passphrase filter files, which can also be used with pwqcheck(1) and pam_passwdqc(8). Input and/or output binary filter files are specified via their corresponding command-line options, whereas passphrases to look up or add, or their hashes, are read from standard input.

pwqfilter works on arbitrary plain text strings or hex-encoded hashes, and thus can also be reused in lieu of grep(1) for many purposes unrelated to passphrases and security.

For the binary filters, pwqfilter and thus the rest of passwdqc currently use an improved cuckoo filter, which is a probabilistic data structure. Occasional false positives are possible (fewer than 1 in a billion), but false negatives are not.

Look up plaintexts or hashes on standard input against an existing filter. This is the default mode.
Report usage statistics for an existing filter.
Create a new filter with CAPACITY entries, reading the initial set of plaintexts or hashes from standard input.

The currently implemented cuckoo filter has a typical maximum load of around 98% (as long as there are no duplicate inputs and the hashes are unbiased, or less otherwise). The specified CAPACITY should thus be higher than the maximum expected number of entries by at least 2.04%.

Insert (add) entries into an existing filter, reading the plaintexts or hashes from standard input.
Estimate the false positive rate (FP rate) of a filter. This option can be used on its own or along with another mode, in which case the test is performed after that other mode's action.

These can be used with --create or --insert.

Better than default FP rate at a cost of briefly slower inserts after a load of 30% to 40% and then again after 60% to 70%.
Better than default FP rate at load ~95% to 98%, a lot worse below ~90%.

, --filter=FILE
Read an existing filter from FILE
, --output=FILE
Write a new or modified filter to FILE
Look up or insert by hex-encoded hashes, not plaintexts.

This option is later implied for further actions on filters created with it specified and no --hash-*, because pwqfilter has no way to know what hash type such filters use.

Hash plaintexts with MD4 prior to lookup or insert. This is the default for new filters.

When used with --pre-hashed, specify that the pre-hashing was done with MD4.

Cuckoo filters' use of a hash function is non-cryptographic, hence MD4's otherwise inadequate cryptographic security is irrelevant.

Hash assumed CP1252 encoding plaintexts with NTLM prior to lookup or insert, or specify that the pre-hashing was done that way (e.g., like it was in a HIBP v7 download).

These are similar to those of grep(1).

, --count
Output a count of (non-)matching lines instead of the lines themselves.
, --line-number
Prefix each line with its number in the input stream.
, --invert-match
Output or count non-matching lines.

Output additional information.
Output pwqfilter program version and exit.
, --help
Output pwqfilter help text and exit.

When looking up against an existing filter, pwqfilter exits with 0 if selected plaintexts or hashes are found, 1 if not found, or 2 on error. These exit codes are compatible with those of grep(1). In other modes, pwqfilter exits with 0 on success and 2 on error.

grep(1), pwqcheck(1), passwdqc.conf(5), pam_passwdqc(8).

https://www.openwall.com/passwdqc/

pwqfilter and this manual page were written by Solar Designer.

January 25, 2021 Openwall Project