On Wed, 11 Jun 2008 14:53:56 -0400
Andrew Berry <[EMAIL PROTECTED]> wrote:

> Zbigniew Szalbot wrote:
> > Hello,
> >
> > Excuse me my ignorance. Is there a utility in FreeBSD that would
> > allow me to generate random passwords without actually creating any
> > accounts or modifying existing ones? I am looking for something to
> > allow me to generate a random string of characters. I know I can
> > randomly hit the keyboard but if anything like that exists, many
> > thanks for your advice. :)
> >
> > Best regards,
> I've used pwgen from ports. It sounds similar to the other
> suggestions.

There are actually two versions of this in ports: sysutils/pwgen and
sysutils/pwgen2. The latter is an independent rewrite rather than a
version 2, and seems to be much more secure. 

The problem with pwgen is that its PRNG is very weakly seeded, making
it vulnerable to simple brute-force attacks. As most of the entropy
comes from the time (in *integer* seconds), it's particularly weak if an
attacker knows roughly when the password was generated. An attacker with
local access may even be able to compute the passwords directly. 

pwgen2 gets random numbers directly from /dev/random, which is how
it should be. 

IMO pwgen should be removed from the ports tree, or failing that should
be patched to use arc4random(), which is self-seeding. I don't really
see the point in keeping it though.


_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to