Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 14 Dec 1996 16:51:08 +0300 (MSK)
From:      =?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7=2C_Andrey_Chernov?= <ache@nagual.ru>
To:        Julian Assange <proff@iq.org>
Cc:        security@freebsd.org, hackers@freebsd.org
Subject:   Re: vulnerability in new pw suite
Message-ID:  <Pine.BSF.3.95.961214164310.396C-100000@nagual.ru>
In-Reply-To: <199612140135.MAA04639@profane.iq.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 14 Dec 1996, Julian Assange wrote:

> The FreeBSD account administration pw suite is able to produce
> "random" passwords for new accounts. Due to the simplicity of the
> password generation algorithm involved, the passwords are easily
> predictable amid a particular range of possibilities. This range
> may be very narrow, depending on what sort of information is
> available to the attacker.

I agree on this subj. but I wonder about method you use, it
is unnecessary complex, reading /dev/urandom will be enough
without MD5 hashing. /dev/urandom not optional device, so
if it isn't exists or not give enough bytes it must be
detected as program failure and not covered by MD5 workaround.
random() must be replaced with /dev/urandom reading, because
password length will be easily predicted too.

-- 
Andrey A. Chernov
<ache@nagual.ru>
http://www.nagual.ru/~ache/




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.961214164310.396C-100000>