Date: Mon, 08 Jan 2007 12:41:39 -0800 From: Garrett Cooper <youshi10@u.washington.edu> To: freebsd-questions@freebsd.org Subject: Re: pwgen's seeding looks insecure Message-ID: <45A2AC83.4090506@u.washington.edu> In-Reply-To: <45A2A60F.3080500@u.washington.edu> References: <20070108175314.27ce391f@gumby.homeunix.com> <20070108183645.GF41724@dan.emsphone.com> <EAE5160D-6B80-4C6A-BB8F-70518EE0711F@u.washington.edu> <20070108191411.GG41724@dan.emsphone.com> <45A2A60F.3080500@u.washington.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Garrett Cooper wrote: > Dan Nelson wrote: >> In the last episode (Jan 08), Garrett Cooper said: >> >>> On Jan 8, 2007, at 10:36 AM, Dan Nelson wrote: >>> >>>> Even better: make RANDOM() call random() instead of rand(), and >>>> initialize the rng with srandomdev(). >>>> >>>> Another random password generator is in security/apg, and that one >>>> already uses /dev/random as a seed. >>>> >>> Not all architectures support random number generation though IIRC >>> and random number generation can be removed from the kernel, so I >>> think that the dev was playing it safe by using another, less random >>> seed source than /dev/random or /dev/urandom. >>> >> >> Luckily, if srandomdev() can't open /dev/random, it falls back to >> seeding with gettimeofday() (so more variability than just time()), >> getpid(), and some random data off the stack, so it's always safe to >> use. I just noticed that there's also a sranddev, so fixing pwgen is >> really as simple as replacing the srand() call with sranddev() > Interesting--I didn't know that. That sounds a lot better than > what's in place by a long shot and it would be nice to have that in > the program considering that random number generators are quite > ubiquitous in Unix nowadays. > I'll CC the project devs later on today with this thread then. > -Garrett Hmm.. it seems that the project hasn't been updated in eons (2001): <http://sourceforge.net/projects/pwgen>. I'll still try to get a hold of the dev, but I'm not sure if they are still administering the project. -Garrett
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45A2AC83.4090506>