Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 14 Dec 1996 18:24:38 +1100 (EST)
From:      Julian Assange <proff@iq.org>
To:        ache@nagual.ru (=?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7=2C_Andrey_Chernov?=)
Cc:        security@freebsd.org, hackers@freebsd.org
Subject:   Re: vulnerability in new pw suite
Message-ID:  <199612140724.SAA05070@profane.iq.org>
In-Reply-To: <Pine.BSF.3.95.961214164310.396C-100000@nagual.ru> from "[______ ______, Andrey Chernov]" at "Dec 14, 96 04:51:08 pm"

next in thread | previous in thread | raw e-mail | index | archive | help
> On Sat, 14 Dec 1996, Julian Assange wrote:
> 
> > The FreeBSD account administration pw suite is able to produce
> > "random" passwords for new accounts. Due to the simplicity of the
> > password generation algorithm involved, the passwords are easily
> > predictable amid a particular range of possibilities. This range
> > may be very narrow, depending on what sort of information is
> > available to the attacker.
> 
> I agree on this subj. but I wonder about method you use, it
> is unnecessary complex, reading /dev/urandom will be enough
> without MD5 hashing. /dev/urandom not optional device, so
> if it isn't exists or not give enough bytes it must be
> detected as program failure and not covered by MD5 workaround.
> -- 
> Andrey A. Chernov

I thought it was optional, a check of this shows you are right.
Still, it is possible that David is using pw(8) on more platforms
than FreeBSD.

As for the password length issue, known password length is only an
issue with dictionary passwords, as length l-1 is always many times
easier to check than length l, so any such checking algorithm always
starts at the smallest length and works up. The worst case (security
wise) senario only gains the attacker 1/n comparisons, such that
n is the number of potential characters selectable for any given
character position. i.e 1/n < 1/26

-Julian A. (proff@suburbia.net)



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199612140724.SAA05070>