generating random passwords
RW
fbsd06 at mlists.homeunix.com
Thu Jun 12 01:33:45 UTC 2008
On Wed, 11 Jun 2008 14:53:56 -0400
Andrew Berry <andrewberry at sentex.net> wrote:
> Zbigniew Szalbot wrote:
> > Hello,
> >
> > Excuse me my ignorance. Is there a utility in FreeBSD that would
> > allow me to generate random passwords without actually creating any
> > accounts or modifying existing ones? I am looking for something to
> > allow me to generate a random string of characters. I know I can
> > randomly hit the keyboard but if anything like that exists, many
> > thanks for your advice. :)
> >
> > Best regards,
> I've used pwgen from ports. It sounds similar to the other
> suggestions.
There are actually two versions of this in ports: sysutils/pwgen and
sysutils/pwgen2. The latter is an independent rewrite rather than a
version 2, and seems to be much more secure.
The problem with pwgen is that its PRNG is very weakly seeded, making
it vulnerable to simple brute-force attacks. As most of the entropy
comes from the time (in *integer* seconds), it's particularly weak if an
attacker knows roughly when the password was generated. An attacker with
local access may even be able to compute the passwords directly.
pwgen2 gets random numbers directly from /dev/random, which is how
it should be.
IMO pwgen should be removed from the ports tree, or failing that should
be patched to use arc4random(), which is self-seeding. I don't really
see the point in keeping it though.
More information about the freebsd-questions
mailing list