pwgen's seeding looks insecure

Dan Nelson dnelson at allantgroup.com
Mon Jan 8 18:36:48 UTC 2007


In the last episode (Jan 08), RW said:
> Someone recently recommended sysutils/pwgen for generating user
> passwords.  Out of curiosity I had a look at how it works, and I
> don't like the look of its PRNG initialization:
> 
> 
> #ifdef RAND48
>   srand48((time(0)<<9) ^ (getpgrp()<<15) ^ (getpid()) ^ (time(0)>>11));
> #else
>   srand(time(0) ^ (getpgrp() << 8) + getpid());
> #endif
> 
> If pwgen is called from an account creation script, time(0) can be
> inferred from timestamps, e.g. on a home-directory, so that just leaves
> getpid() and  getpgrp(). PIDs are allocated sequentially and globally,
> so getpid() is highly predictable. I don't know much about getpgrp(),
> but from the manpage it doesn't appear to be any better.

Even better: make RANDOM() call random() instead of rand(), and
initialize the rng with srandomdev().

Another random password generator is in security/apg, and that one
already uses /dev/random as a seed.

-- 
	Dan Nelson
	dnelson at allantgroup.com


More information about the freebsd-questions mailing list