Date: Thu, 12 Jun 2008 02:17:59 +0100 From: RW <fbsd06@mlists.homeunix.com> To: freebsd-questions@freebsd.org Subject: Re: generating random passwords Message-ID: <20080612021759.35dc0838@gumby.homeunix.com.> In-Reply-To: <48501F44.3010606@sentex.net> References: <484F7CBE.5060401@lc-words.com> <48501F44.3010606@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 11 Jun 2008 14:53:56 -0400 Andrew Berry <andrewberry@sentex.net> wrote: > Zbigniew Szalbot wrote: > > Hello, > > > > Excuse me my ignorance. Is there a utility in FreeBSD that would > > allow me to generate random passwords without actually creating any > > accounts or modifying existing ones? I am looking for something to > > allow me to generate a random string of characters. I know I can > > randomly hit the keyboard but if anything like that exists, many > > thanks for your advice. :) > > > > Best regards, > I've used pwgen from ports. It sounds similar to the other > suggestions. There are actually two versions of this in ports: sysutils/pwgen and sysutils/pwgen2. The latter is an independent rewrite rather than a version 2, and seems to be much more secure. The problem with pwgen is that its PRNG is very weakly seeded, making it vulnerable to simple brute-force attacks. As most of the entropy comes from the time (in *integer* seconds), it's particularly weak if an attacker knows roughly when the password was generated. An attacker with local access may even be able to compute the passwords directly. pwgen2 gets random numbers directly from /dev/random, which is how it should be. IMO pwgen should be removed from the ports tree, or failing that should be patched to use arc4random(), which is self-seeding. I don't really see the point in keeping it though.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080612021759.35dc0838>