generating random passwords
frank at shute.org.uk
Thu Jun 12 02:17:12 UTC 2008
On Thu, Jun 12, 2008 at 02:17:59AM +0100, RW wrote:
> On Wed, 11 Jun 2008 14:53:56 -0400
> Andrew Berry <andrewberry at sentex.net> wrote:
> > Zbigniew Szalbot wrote:
> > > Hello,
> > >
> > > Excuse me my ignorance. Is there a utility in FreeBSD that would
> > > allow me to generate random passwords without actually creating any
> > > accounts or modifying existing ones? I am looking for something to
> > > allow me to generate a random string of characters. I know I can
> > > randomly hit the keyboard but if anything like that exists, many
> > > thanks for your advice. :)
> > >
> > > Best regards,
> > I've used pwgen from ports. It sounds similar to the other
> > suggestions.
> There are actually two versions of this in ports: sysutils/pwgen and
> sysutils/pwgen2. The latter is an independent rewrite rather than a
> version 2, and seems to be much more secure.
> The problem with pwgen is that its PRNG is very weakly seeded, making
> it vulnerable to simple brute-force attacks. As most of the entropy
> comes from the time (in *integer* seconds), it's particularly weak if an
> attacker knows roughly when the password was generated. An attacker with
> local access may even be able to compute the passwords directly.
Thanks for the heads-up.
> pwgen2 gets random numbers directly from /dev/random, which is how
> it should be.
> IMO pwgen should be removed from the ports tree, or failing that should
> be patched to use arc4random(), which is self-seeding. I don't really
> see the point in keeping it though.
It would be nice if it could be patched and a portaudit warning issued
for it so users could update.
The patching would be beyond me unfortunately...or fortunately, as I
would likely make it *really* insecure ;)
Contact info: http://www.shute.org.uk/misc/contact.html
More information about the freebsd-questions