From owner-freebsd-questions@FreeBSD.ORG Thu Jun 12 02:17:12 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6A0A0106566B for ; Thu, 12 Jun 2008 02:17:12 +0000 (UTC) (envelope-from frank@esperance-linux.co.uk) Received: from mailout.zetnet.co.uk (mailout.zetnet.co.uk [194.247.47.231]) by mx1.freebsd.org (Postfix) with ESMTP id E9A898FC0C for ; Thu, 12 Jun 2008 02:17:11 +0000 (UTC) (envelope-from frank@esperance-linux.co.uk) Received: from irwell.zetnet.co.uk ([194.247.47.48] helo=zetnet.co.uk) by mailout.zetnet.co.uk with esmtp (Exim 4.63) (envelope-from ) id 1K6cN9-0004fT-GZ; Thu, 12 Jun 2008 03:17:07 +0100 Received: from melon.esperance-linux.co.uk (54-144.adsl.zetnet.co.uk [194.247.54.144]) by zetnet.co.uk (8.14.1/8.14.1/Debian-9) with ESMTP id m5C2H7Kl023191; Thu, 12 Jun 2008 03:17:07 +0100 Received: by melon.esperance-linux.co.uk (Postfix, from userid 1001) id 71218FCABAF; Thu, 12 Jun 2008 03:16:39 +0100 (BST) Date: Thu, 12 Jun 2008 03:16:39 +0100 From: Frank Shute To: RW Message-ID: <20080612021639.GB3875@melon.esperance-linux.co.uk> Mail-Followup-To: RW , freebsd-questions@freebsd.org References: <484F7CBE.5060401@lc-words.com> <48501F44.3010606@sentex.net> <20080612021759.35dc0838@gumby.homeunix.com.> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080612021759.35dc0838@gumby.homeunix.com.> User-Agent: Mutt/1.4.2.3i X-Face: *}~{PHnDTzvXPe'wl_-f%!@+r5; VLhb':*DsX%wEOPg\fDrXWQJf|2\,92"DdS%63t*BHDyQ|OWo@Gfjcd72eaN!4%NE{0]p)ihQ1MyFNtWL X-Operating-System: FreeBSD 6.3-RELEASE-p2 i386 X-Organisation: 'Esperance Linux' X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (zetnet.co.uk [194.247.46.1]); Thu, 12 Jun 2008 03:17:07 +0100 (BST) Cc: freebsd-questions@freebsd.org Subject: Re: generating random passwords X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Frank Shute List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jun 2008 02:17:12 -0000 On Thu, Jun 12, 2008 at 02:17:59AM +0100, RW wrote: > > On Wed, 11 Jun 2008 14:53:56 -0400 > Andrew Berry wrote: > > > Zbigniew Szalbot wrote: > > > Hello, > > > > > > Excuse me my ignorance. Is there a utility in FreeBSD that would > > > allow me to generate random passwords without actually creating any > > > accounts or modifying existing ones? I am looking for something to > > > allow me to generate a random string of characters. I know I can > > > randomly hit the keyboard but if anything like that exists, many > > > thanks for your advice. :) > > > > > > Best regards, > > I've used pwgen from ports. It sounds similar to the other > > suggestions. > > There are actually two versions of this in ports: sysutils/pwgen and > sysutils/pwgen2. The latter is an independent rewrite rather than a > version 2, and seems to be much more secure. > > The problem with pwgen is that its PRNG is very weakly seeded, making > it vulnerable to simple brute-force attacks. As most of the entropy > comes from the time (in *integer* seconds), it's particularly weak if an > attacker knows roughly when the password was generated. An attacker with > local access may even be able to compute the passwords directly. Thanks for the heads-up. > > pwgen2 gets random numbers directly from /dev/random, which is how > it should be. > > IMO pwgen should be removed from the ports tree, or failing that should > be patched to use arc4random(), which is self-seeding. I don't really > see the point in keeping it though. It would be nice if it could be patched and a portaudit warning issued for it so users could update. The patching would be beyond me unfortunately...or fortunately, as I would likely make it *really* insecure ;) Regards, -- Frank Contact info: http://www.shute.org.uk/misc/contact.html