From owner-freebsd-hackers  Sun Nov 22 13:12:56 1998
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id NAA13627
          for freebsd-hackers-outgoing; Sun, 22 Nov 1998 13:12:56 -0800 (PST)
          (envelope-from owner-freebsd-hackers@FreeBSD.ORG)
Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA13617
          for <hackers@FreeBSD.ORG>; Sun, 22 Nov 1998 13:12:53 -0800 (PST)
          (envelope-from peter.jeremy@auss2.alcatel.com.au)
Received: by border.alcanet.com.au id <40323>; Mon, 23 Nov 1998 08:11:36 +1100
Date: Mon, 23 Nov 1998 08:12:02 +1100
From: Peter Jeremy <peter.jeremy@auss2.alcatel.com.au>
Subject: Re: freebsd-hackers-digest V4 #314
To: hackers@FreeBSD.ORG
Message-Id: <98Nov23.081136est.40323@border.alcanet.com.au>
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Fri, 20 Nov 1998 08:39:16 -0800 (PST), EE <ee123@rocketmail.com> wrote:
>I'm looking for a password generator.

And various people responded with things like:
"it's really piece of cake to write that kind of program in perl or C",
and a couple of people posted sample code.

Unfortunately, all of the postings I've seen so far suffer from a
fatal flaw - all of them use pseudo-random numbers and hence generate
pseudo-random passwords.  This means that the password can be fairly
readily broken by knowing the algorithm used to generate the password.
(On the positive side, one of them did attempt to increase the entropy
of the generated password, but srandom() only provides 32-bits, which
is trivial to crack nowadays.  On the negative side, another program
made no attempt to seed the random number, thus providing a
conveniently repeatable list of passwords for any cracker).

A true random password requires random numbers, which are very
difficult to generate within a computer.  Depending on your needs,
/dev/random may be adequate (see random(4)).  srandomdev(3) is a
start, but unfortunately uses /dev/urandom instead of /dev/random
and can quietly fall back to srandom(3) in some cases.

Peter
--
Peter Jeremy (VK2PJ)                    peter.jeremy@alcatel.com.au
Alcatel Australia Limited
41 Mandible St                          Phone: +61 2 9690 5019
ALEXANDRIA  NSW  2015                   Fax:   +61 2 9690 5247

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message