	Significant changes between 2.0.3 and 2.1.0.

Add built-in generated common passwords list and a script to (re)generate it.
Specifically, we effectively include top 100k of HIBPv8 overlap with RockYou,
optimized to ~50k entries and compressed to under 200 KB as now embedded in
program binary.  With this and our default policy, we no longer accept anything
from current JtR jumbo default password.lst (1.8 million entries, where we'd
previously accept 0.1%), and we accept only under 0.03% from first 10 million
that the same JtR generates by default (previously 0.3%) - all while having
minimal impact on acceptance of stronger passwords (tested on those uncracked
in CMIYC 2010).  Add new rejection reason "based on a common password".

Optimize the fuzzy matching against wordlist entries such that it's fast enough
even with the larger default wordlist (or with external wordlists, which may be
larger yet).

Slightly expand the previously existing built-in English word list and common
character sequences list.  Importantly, these are used even when the above
newly added common passwords list is overridden with the wordlist= option to
use an external wordlist, so that basic checks of this sort continue to work
regardless of the external wordlist's quality.

Revise matching of wordlist entries against qualifying multi-word passphrases.
It is expected and allowed for such a passphrase to consist of words, so words
were not and still are not discounted, but if a wordlist entry matches a longer
than one word part of a passphrase, that part is now nevertheless discounted.

Revise matching of leetspeak to maintain intuitive behavior despite of the
change above (challenging because digits in leetspeak words look like word
separators), as well as to better reflect what's actually common and exclude
what is not.

Revise non-ASCII passphrase word counting logic: no longer require non-ASCII
words to be separated specifically by spaces, but allow any ASCII non-letters
as separators.

Simplify the default password policy by no longer allowing length 7.

Add Finnish translation of rejection reasons and pam_passwdqc messages.

In Makefile, pass certain default hardening flags to compiler and linker when
building for Linux, and let the package add more of them and/or override them.

Add tests, run them on "make check", run that from RPM spec %check.

Replace the bundled RPM spec with Fedora's, update it for this release.

Fix macOS and Solaris builds.


	Significant changes between 2.0.2 and 2.0.3.

Added Cygwin support.

Added pkg-config file.

Changed enforce=users to support "chpasswd" PAM service in addition to
traditionally supported "passwd".


	Significant changes between 2.0.1 and 2.0.2.

Improved pam_passwdqc's auto-generated policy descriptions further, so
that lines are wrapped at a more consistent length.

Added the libpasswdqc(3) manual page and links to it for all functions
documented in there.

Added scripts to support Continuous Integration on GitHub (included in
the git repository, but excluded from release tarballs).


	Significant changes between 2.0.0 and 2.0.1.

Improved pam_passwdqc's auto-generated policy descriptions, which were
slightly misformatted since the introduction of i18n support in 1.4.0.
Now they not only look prettier, but also make it clearer that the
mentioned lengths are merely the minimums and not the recommended ones.

Updated Russian translation for consistency with the above and to cover
messages added in 1.9.0+.

Increased maximum size of randomly-generated passphrases to 136 bits.
This was already the limit in the underlying API, but the tools' limit
was set to 85.  This increase is to allow for a wider variety of use
cases for the tools.

In the Makefile, use CPPFLAGS and LDFLAGS consistently to be friendlier
to packaging by distros.

Added this file CHANGES based on two latest release announcements, and
started to maintain it.


	Significant changes between 1.9.0 and 2.0.0.

Introduce and use passwdqc_params_free().  This is a minor addition to
the libpasswdqc API related to the addition of external files support.


	Significant changes between 1.5.0 and 1.9.0.

Added support for external wordlist, denylist, and binary filter.  With
these, passwdqc can be configured to deny passwords and passphrases that
are based on lines of a tiny external text file (the "wordlist" option),
directly appear in a tiny external text file (the "denylist" option),
or/and directly appear in a maybe huge binary filter file (the "filter"
option).  While usage of larger external text files is inefficient, the
binary filters are very efficient.

The binary filters can be created and otherwise managed with the newly
added pwqfilter(1) program.  It can create a binary filter from a list
of plaintexts or from MD4 or NTLM hashes.  The latter are supported in a
way that enables importing of HIBP (Pwned Passwords) database revisions
into passwdqc binary filters.  pwqfilter works on arbitrary plain text
strings or hex-encoded hashes, and it can also be reused in lieu of
grep(1) for many purposes, even unrelated to passphrases and security.

Merged changes needed for building with Visual Studio on Windows.  This
includes a refactoring of the random passphrase generator code to make
it shared between platforms.


	Significant changes between 1.4.1 and 1.5.0.

Updated the included wordlist to avoid some inappropriate words in
randomly generated passphrases while not removing any words from the
"word-based" check, and also to have plenty of extra words for
subsequent removal of more words that might be considered inappropriate
from the initial 4096 that are used for randomly generated passphrases.
Most of the added words came from EFF Diceware, BIP-0039, and our own
processing of Project Gutenberg Australia books.


	Significant changes between 1.4.0 and 1.4.1.

Set default for "max" to 72 (was 40).  The previous setting was based on
a reading of RFC 1939, which in practice did not matter.  The new one is
based on bcrypt's truncation at 72, which actually still matters.

Documented "similar" in pwqcheck(1) help message and manual page.  This
is a setting that was supported before and documented for other passwdqc
components before, but was apparently erroneously omitted from here.


	Significant changes between 1.3.2 and 1.4.0.

Implemented i18n support in pam_passwdqc, contributed by Oleg Solovyov,
Andrey Cherepanov, and Dmitry V. Levin.  The i18n support is off by
default, it can be enabled if Linux-PAM is built using --enable-nls
configure option.

Implemented audit support in pam_passwdqc, contributed by Oleg Solovyov
and Dmitry V. Levin.  The audit support is off by default, it can be
enabled if Linux-PAM is built using --enable-audit configure option.

Both of these optional new features had been introduced and are enabled
in ALT Linux distributions, so this version is effectively upstreaming
the changes from there.


	Significant changes between 1.3.1 and 1.3.2.

Compatibility for building with newer versions of glibc, where we now
have to define _DEFAULT_SOURCE for our use of crypt(3).  The problem was
identified and this change tested by Dmitry V. Levin.

Clarified in the man pages that /etc/passwdqc.conf is not read unless
this suggested file location is specified with the config= option.

Clarified the OpenBSD configuration example.

Escape the minus sign in the OpenBSD configuration example to make the
man page linter happy, patch by Jackson Doak via Unit 193.
