RE: generating random passwords
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Jos Chrispijn > Sent: Wednesday, June 11, 2008 12:29 PM > To: freebsd-questions@freebsd.org > Subject: Re: generating random passwords > > > Bill Campbell wrote: > > I much prefer apg which can generate more-or-less pronounceable > > passwords which it is possible to remember (at least after typing > > them a few times :-). > > > This is not supposed to be an offense to any author of a password > generator, but: > Never, but never trust any random password generator. You do not know > the author, you do not know the algoritm it uses and in worst case > scenarion you do not know if there is a millisecond traffic to somewhere > that is recording the generated password. This issue is very easily solved with open source code, as you can simply read the code before running it. That is one of the reasons that most crypto implementations that people trust to actually keep things private are open source. > > One of the biggest problems with random passwords is that they > > end up written on yellow-stickies on the monitor or under the > > keyboard. > > > You don't need a generated password for that; it is common behaviour for > people that aren't involved in any responsibility whatsoever. > Such as people who don't read the source for any password generator before running it? Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: generating random passwords
On Thu, Jun 12, 2008 at 02:17:59AM +0100, RW wrote: > > On Wed, 11 Jun 2008 14:53:56 -0400 > Andrew Berry <[EMAIL PROTECTED]> wrote: > > > Zbigniew Szalbot wrote: > > > Hello, > > > > > > Excuse me my ignorance. Is there a utility in FreeBSD that would > > > allow me to generate random passwords without actually creating any > > > accounts or modifying existing ones? I am looking for something to > > > allow me to generate a random string of characters. I know I can > > > randomly hit the keyboard but if anything like that exists, many > > > thanks for your advice. :) > > > > > > Best regards, > > I've used pwgen from ports. It sounds similar to the other > > suggestions. > > There are actually two versions of this in ports: sysutils/pwgen and > sysutils/pwgen2. The latter is an independent rewrite rather than a > version 2, and seems to be much more secure. > > The problem with pwgen is that its PRNG is very weakly seeded, making > it vulnerable to simple brute-force attacks. As most of the entropy > comes from the time (in *integer* seconds), it's particularly weak if an > attacker knows roughly when the password was generated. An attacker with > local access may even be able to compute the passwords directly. Thanks for the heads-up. > > pwgen2 gets random numbers directly from /dev/random, which is how > it should be. > > IMO pwgen should be removed from the ports tree, or failing that should > be patched to use arc4random(), which is self-seeding. I don't really > see the point in keeping it though. It would be nice if it could be patched and a portaudit warning issued for it so users could update. The patching would be beyond me unfortunately...or fortunately, as I would likely make it *really* insecure ;) Regards, -- Frank Contact info: http://www.shute.org.uk/misc/contact.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: generating random passwords
On Jun 11, 2008, at 7:46 PM, Andrew Berry wrote: Any idea what the name of the project for the Security framework is? I can't seem to find anything on Google. I'd love to be able to access keychains from OS X on other platforms, without resorting to dumping everything to plaintext. This looks like a good place to start. http://developer.apple.com/opensource/security/index.html I, too, would like my OS X Keychains to be portable. Cheers, -j ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: generating random passwords
On Wed, Jun 11, 2008 at 02:53:56PM -0400, Andrew Berry wrote: > > Zbigniew Szalbot wrote: > > >Hello, > > > >Excuse me my ignorance. Is there a utility in FreeBSD that would allow > >me to generate random passwords without actually creating any accounts > >or modifying existing ones? I am looking for something to allow me to > >generate a random string of characters. I know I can randomly hit the > >keyboard but if anything like that exists, many thanks for your > >advice. :) > > > >Best regards, > > I've used pwgen from ports. It sounds similar to the other suggestions. > I like sysutils/pwgen too. In it's default state it will give a screenful of semi-pronounceable passwords from which you pick one. It can also be used in a shell script to generate single passwords. Having the password semi-pronounceable avoids the sticky-note problem to a large extent as they're easy to learn. Can also generate gibberish, if that's your choice. Widely tunable. For password containment i.e all my online passwords, I use a shell script with gpg and a strong password. So in theory, I only have to remember my user login and the password for gpg. In practice, I remember a few more that I use regularly. Regards, -- Frank Contact info: http://www.shute.org.uk/misc/contact.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: generating random passwords
On Wed, 11 Jun 2008 14:53:56 -0400 Andrew Berry <[EMAIL PROTECTED]> wrote: > Zbigniew Szalbot wrote: > > Hello, > > > > Excuse me my ignorance. Is there a utility in FreeBSD that would > > allow me to generate random passwords without actually creating any > > accounts or modifying existing ones? I am looking for something to > > allow me to generate a random string of characters. I know I can > > randomly hit the keyboard but if anything like that exists, many > > thanks for your advice. :) > > > > Best regards, > I've used pwgen from ports. It sounds similar to the other > suggestions. There are actually two versions of this in ports: sysutils/pwgen and sysutils/pwgen2. The latter is an independent rewrite rather than a version 2, and seems to be much more secure. The problem with pwgen is that its PRNG is very weakly seeded, making it vulnerable to simple brute-force attacks. As most of the entropy comes from the time (in *integer* seconds), it's particularly weak if an attacker knows roughly when the password was generated. An attacker with local access may even be able to compute the passwords directly. pwgen2 gets random numbers directly from /dev/random, which is how it should be. IMO pwgen should be removed from the ports tree, or failing that should be patched to use arc4random(), which is self-seeding. I don't really see the point in keeping it though. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: generating random passwords
Jeffrey Goldberg wrote: I don't run FreeBSD on desktops so I haven't looked at the various tools available. On OS X, I use 1password which makes excellent use of the OS X Keychain system, and has terrific webbrowser integration. I'm fairly sure that the Apple Keychain libraries have been or can be ported to FreeBSD, but it might require GnuStep. Any idea what the name of the project for the Security framework is? I can't seem to find anything on Google. I'd love to be able to access keychains from OS X on other platforms, without resorting to dumping everything to plaintext. --Andrew smime.p7s Description: S/MIME Cryptographic Signature
Re: generating random passwords
On Jun 11, 2008, at 11:35 AM, Bill Campbell wrote: One of the biggest problems with random passwords is that they end up written on yellow-stickies on the monitor or under the keyboard. I'm going to take this opportunity to preach. Everyone should be using a good password management system. Otherwise people will use either weak passwords or will use passwords which are predictable from other passwords. (That is using the same password or variants of the same password for many separate realms.) I don't run FreeBSD on desktops so I haven't looked at the various tools available. On OS X, I use 1password which makes excellent use of the OS X Keychain system, and has terrific webbrowser integration. I'm fairly sure that the Apple Keychain libraries have been or can be ported to FreeBSD, but it might require GnuStep. On Window's I recommend Password Safe. In ports, sysutils/pwsafe provides a CLI utility that can manage Password Safe data. And security/gorilla provides a tcl/tk GUI for pwsafe. I've used both on OS X, and the work fine, but I much prefer 1password in that environment. I've never looked at things like kwallet or other Unixish password management systems. But once again, I recommend that everyone use a proper password management system. -j -- Jeffrey Goldberghttp://www.goldmark.org/jeff/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: generating random passwords
Bill Campbell wrote: I much prefer apg which can generate more-or-less pronounceable passwords which it is possible to remember (at least after typing them a few times :-). This is not supposed to be an offense to any author of a password generator, but: Never, but never trust any random password generator. You do not know the author, you do not know the algoritm it uses and in worst case scenarion you do not know if there is a millisecond traffic to somewhere that is recording the generated password. One of the biggest problems with random passwords is that they end up written on yellow-stickies on the monitor or under the keyboard. You don't need a generated password for that; it is common behaviour for people that aren't involved in any responsibility whatsoever. Jos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: generating random passwords
Zbigniew Szalbot wrote: Hello, Excuse me my ignorance. Is there a utility in FreeBSD that would allow me to generate random passwords without actually creating any accounts or modifying existing ones? I am looking for something to allow me to generate a random string of characters. I know I can randomly hit the keyboard but if anything like that exists, many thanks for your advice. :) Best regards, I've used pwgen from ports. It sounds similar to the other suggestions. --Andrew ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: generating random passwords
One of the biggest problems with random passwords is that they end up written on yellow-stickies on the monitor or under the keyboard. there is no cure for that in FreeBSD. you need some non-computer hardware to stop that behaviour ;) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: generating random passwords
On Wed, Jun 11, 2008, Roland Smith wrote: >On Wed, Jun 11, 2008 at 09:20:30AM +0200, Zbigniew Szalbot wrote: >> Hello, >> >> Excuse me my ignorance. Is there a utility in FreeBSD that would allow >> me to generate random passwords without actually creating any accounts >> or modifying existing ones? I am looking for something to allow me to >> generate a random string of characters. I know I can randomly hit the >> keyboard but if anything like that exists, many thanks for your advice. :) > >Using FreeBSD's random device: >tcsh syntax: >( dd if=/dev/random bs=6 count=1 | openssl base64 > /dev/tty ) > & /dev/null > >sh syntax: >dd if=/dev/random bs=6 count=1 2>/dev/null| openssl base64 I much prefer apg which can generate more-or-less pronounceable passwords which it is possible to remember (at least after typing them a few times :-). One of the biggest problems with random passwords is that they end up written on yellow-stickies on the monitor or under the keyboard. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax:(206) 232-9186 With Congress, every time they make a joke it's a law; and every time they make a law it's a joke. -- Will Rogers ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: generating random passwords
On Wed, Jun 11, 2008 at 09:20:30AM +0200, Zbigniew Szalbot wrote: > Hello, > > Excuse me my ignorance. Is there a utility in FreeBSD that would allow > me to generate random passwords without actually creating any accounts > or modifying existing ones? I am looking for something to allow me to > generate a random string of characters. I know I can randomly hit the > keyboard but if anything like that exists, many thanks for your advice. :) Using FreeBSD's random device: tcsh syntax: ( dd if=/dev/random bs=6 count=1 | openssl base64 > /dev/tty ) > & /dev/null sh syntax: dd if=/dev/random bs=6 count=1 2>/dev/null| openssl base64 Roland -- R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) pgpxIgDT5pKek.pgp Description: PGP signature
Re: generating random passwords
At 2008-06-11T09:20:30+02:00, Zbigniew Szalbot wrote: > Is there a utility in FreeBSD that would allow me to generate random > passwords without actually creating any accounts or modifying > existing ones? I am looking for something to allow me to generate a > random string of characters. One way is to use the rand(1) command which comes with the base system as a part of OpenSSL: [riemann:/usr/home/raghu]% openssl rand -base64 6 1olqAkXG [riemann:/usr/home/raghu]% openssl rand -base64 9 gO/9nTp5/SYa [riemann:/usr/home/raghu]% openssl rand -base64 6 ib9SrIe2 Base64 encoding transforms every group of 3 octets to 4 encoded characters, so `openssl rand -base64 3N' produces a string with 4N encoded characters. In case it is relevant, the generated strings are made up of the 62 US-ASCII alphanumerical characters, `+', and `/'. HTH, Raghavendra. -- N. Raghavendra <[EMAIL PROTECTED]> | http://www.retrotexts.net/ Harish-Chandra Research Institute | http://www.mri.ernet.in/ See message headers for contact and OpenPGP information. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: generating random passwords
Excuse me my ignorance. Is there a utility in FreeBSD that would allow me to generate random passwords without actually creating any accounts or modifying example: [EMAIL PROTECTED] ~]$ cat bin/genpwd #!/bin/sh dd if=/dev/urandom bs=8 count=1 2>/dev/null |hexdump|cut -b 9-12,14-17,19-22,24-27 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: generating random passwords
On Wednesday 11 June 2008 10:20:30 Zbigniew Szalbot wrote: > Excuse me my ignorance. Is there a utility in FreeBSD that would allow > me to generate random passwords without actually creating any accounts > or modifying existing ones? I am looking for something to allow me to > generate a random string of characters. I know I can randomly hit the > keyboard but if anything like that exists, many thanks for your advice. > :) That's a common problem I have, and most of the times I was on relying on BASH's $RANDOM. Just thought of this: sed -n 's/[EMAIL PROTECTED]&*()_+=-|\]//g; /^\(.\{10\}\).*/{ s//\1/p; q; }; b' /dev/urandom HTH, Nikos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: generating random passwords
Le 11/06/08 à 09:22, Zbigniew Szalbot téléscripta : > Hello, Hello, > Excuse me my ignorance. Is there a utility in FreeBSD that would allow > me to generate random passwords without actually creating any accounts > or modifying existing ones? I am looking for something to allow me to > generate a random string of characters. I know I can randomly hit the > keyboard but if anything like that exists, many thanks for your advice. > :) apg[1] could do the trick, it could generate different kind of passwords, eiher pronounceable or unpronounceable. % apg -a1 -m64 jVMH8f]~[nZ\Bs2"a-b*,gYPIL=u9_&zt~+:OXg$jDE{JnRx % apg -a0 -m8 DykavWabjo eyHeefVoc Agdeikkeo ivEncig1 ipfevDyod MywranEn1 Ref: [1] - http://www.freshports.org/security/apg/ > > Best regards, Regards, Baptiste -- Baptiste Grenier | PGP: 0x069112E2 HealthGrid SysAdmin http://healthgrid.org/ pgpnVXYbITdzq.pgp Description: PGP signature