From owner-freebsd-questions@FreeBSD.ORG  Tue Aug  4 06:20:52 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C99DC1065674
	for <freebsd-questions@freebsd.org>;
	Tue,  4 Aug 2009 06:20:52 +0000 (UTC)
	(envelope-from mel.flynn+fbsd.questions@mailing.thruhere.net)
Received: from mailhub.rachie.is-a-geek.net (rachie.is-a-geek.net
	[66.230.99.27]) by mx1.freebsd.org (Postfix) with ESMTP id 986EA8FC0A
	for <freebsd-questions@freebsd.org>;
	Tue,  4 Aug 2009 06:20:52 +0000 (UTC)
	(envelope-from mel.flynn+fbsd.questions@mailing.thruhere.net)
Received: from smoochies.rachie.is-a-geek.net
	(mailhub.lan.rachie.is-a-geek.net [192.168.2.11])
	by mailhub.rachie.is-a-geek.net (Postfix) with ESMTP id C1ED57E818
	for <freebsd-questions@freebsd.org>;
	Mon,  3 Aug 2009 22:20:51 -0800 (AKDT)
From: Mel Flynn <mel.flynn+fbsd.questions@mailing.thruhere.net>
To: freebsd-questions@freebsd.org
Date: Mon, 3 Aug 2009 22:20:50 -0800
User-Agent: KMail/1.11.4 (FreeBSD/8.0-BETA2; KDE/4.2.4; i386; ; )
References: <64c038660908031928v15a76d15g5599e6f3fef936e1@mail.gmail.com>
In-Reply-To: <64c038660908031928v15a76d15g5599e6f3fef936e1@mail.gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200908032220.50964.mel.flynn+fbsd.questions@mailing.thruhere.net>
Subject: Re: Secure password generation...blasphemy!
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Aug 2009 06:20:53 -0000

On Monday 03 August 2009 18:28:52 Modulok wrote:

> I wrote a python script which uses /dev/random, and hashes the output
> with sha256. I then truncate the output to the desired length.
> Blasphemy! According to the superstitious password crowd my passwords
> are not very secure ... maybe.

They aren't, because you reduce the random to a much less random, *because* 
you are hashing.
You're much better off, using ctype to determine if the byte you got is 
typeable on a keyboard and if not getting the next byte. Or use an array of 
allowed characters and read the rands as integers modulus the size of the 
array.

But as others have stated, you're reinventing the wheel, and even FreeBSD's 
adduser(8) can generate random passwords that are suitable for most uses. You 
should really answer Kurt's questions to determine how secure they should be.

As far as Pseudo generators go, they will generate the same sequence for the 
same seed, so if the seed is guessable by an attacker, you should not use 
them.
-- 
Mel