> I've added some detail for context, In this this rewritten email
On Fri, Feb 20, 2026, 1:09 PM Samuel <[email protected]> wrote: > I've added some detail for context, sorry about the noise, I wrote that in > the wee hours last night. > > > No. > >Most likely your script is buggy. > > Why? > > > I've been over the main script, there's not much there to be buggy. > > I'm not seeing any problem with the password generator either; It should > always output something. > > There would have to be something different about the invocation that > generated this user; I'm just not seeing how that's possible. > > (password generator basically reads from /dev/random, discards some > values, translating others into printable characters.) > > On Fri, Feb 20, 2026, 12:26 PM Samuel <[email protected]> wrote: > >> Perhaps can tell me if this seems plausible. I was using the snaphot from >> February 4. >> >> I've added several users, over several days, using the exact same script >> (I wrote), with the only input being the username on the command line. The >> script also generates a random encrypted password -- which I can see by >> looking at master.passwd. And all the user accounts seemed to work (until >> the system became unresponsive). >> >> Recently I saw that the last user to be created this way has no password! >> My best guess is an un-updated chromium parsed a compromised web page, that >> ... removed the password. >> >> passwd(1) requires the current password if the user calling it is not the >> superuser. >> It seems like pledge ought to be an obstacle. >> The compromised user was not logged in (to my knowledge) by the time I >> gave up and shut down the computer. >> I always kill all processes associated with these accounts when I log out. >> The password generator takes printable characters from /dev/random, >> adding more as needed. >> >> On Fri, Feb 20, 2026, 5:49 AM Samuel <[email protected]> wrote: >> >>> I've added several users, over several days, using the exact same >>> script, with the only input being the username on the command line. The >>> script also generates a random encrypted password, which I can confirm by >>> looking at master.passwd. And all the user accounts seemed to work (until >>> the system became unresponsive). >>> >>> Recently I saw that the last user to be created this way has no >>> password! My best guess is an un-updated chromium parsed a compromised web >>> page, that ... removed the password (was running a snapshot, not stable). >>> >>> Does that seem plausible? >>> >>> (The compromised user was not logged in (to my knowledge) when I gave up >>> and shut down the computer.) >>> >>
