You have seen the thread on pwgen from last year, right?. 'secure' mode and removing > phonemes mode, to avoid putting users at risk. Regards, MichaelOn 11:47, Solar Designer wrote: On Tue, May 28, \Ģ013 at 01:33:48AM +0000, Michael Samuel wrote: > The default mode of this program generates \Įxtremely low entropy passwords - > It is probably worth changing the default to \ I have some fairly \ĭetailed analysis of it, but I believe this list has a no-exploits policy. Of possible combinations and it is generally not suitable for security purposes. Non-tty defaults (except maybe combining with espeak as an enhanced interrogation technique), and you can \īe certain that there's some people out there with it embedded in a script that's generating \įor phonemes mode in general, the bias is extreme, there are a limited number \ Random passphrasesI can't imagine any reasonable use-case for the \ Up any packages that have been using insecure entropy) - Make '-s' the \ĭefault- Add an argument -insecure-phonemes (or -P)- Non-tty passwords \Īre now as secure as tty- Require lower-case characters be present to even out some \īias - Pull in passwdqc as a Suggests on the debian package - pwqgen can generate sane \ Print a message and abort() of there's trouble opening or reading /dev/urandom (So apport should pick \ With has those rules, it doesn't fix the problem anyway.
Pwgen tails password#
There's \Īn argument to be made for removing the at-least-one rule, but if the system that password is being used \ Password - so in an 8 character password there'd have to be 0.1 numbers to avoid bias.
Pwgen tails Patch#
LettersI've attached a patch that fixes most issues - it \ĭoesn't solve the bias towards numbers, because it's caused by requiring at-least one number per \ Secure mode has bias towards numbers and uppercase \ (Debian bug #672241 - tagged as 'wishlist') Phonemes mode has heavy bias and is enabled by default (first reported by Solar \ĭesigner)- Silent fallback to insecure entropy (first reported by Jean-Michel Vourgère) \ Trivially weak by default (first reported by Solar Designer) I think there needs to be CVEs and fixes for:- When used from a non-tty passwords are \ I've done some further analysis of the program after reading the previous thread, and \ > (Use the "thread-prev" link for more messages from that thread.) > phonemes mode, to avoid putting users at risk. > It is probably worth changing the default to "secure" mode and removing > The default mode of this program generates extremely low entropy I have some fairly detailed analysis of it, but Iīelieve this list has a no-exploits policy. Number of possible combinations and it is generally not suitable for Script that's generating useless passwords.įor phonemes mode in general, the bias is extreme, there are a limited You can be certain that there's some people out there with it embedded in a Maybe combining with espeak as an enhanced interrogation technique), and I can't imagine any reasonable use-case for the non-tty defaults (except Pull in passwdqc as a Suggests on the debian package - pwqgen can Require lower-case characters be present to even out some bias Non-tty passwords are now as secure as tty Add an argument -insecure-phonemes (or -P) dev/urandom (So apport should pick up any packages that have been using Print a message and abort() of there's trouble opening or reading Rule, but if the system that password is being used with has those rules, There's an argument to be made for removing the at-least-one Password - so in an 8 character password there'd have to be 0.1 numbers toĪvoid bias. Towards numbers, because it's caused by requiring at-least one number per I've attached a patch that fixes most issues - it doesn't solve the bias Secure mode has bias towards numbers and uppercase letters
Vourg=E8re) (Debian bug #672241 - tagged as "wishlist") Silent fallback to insecure entropy (first reported by Jean-Michel
Phonemes mode has heavy bias and is enabled by default (first reported by When used from a non-tty passwords are trivially weak by default (first Thread, and I think there needs to be CVEs and fixes for: I've done some further analysis of the program after reading the previous Message-ID: CACYkhxjNX0Kk7pzWV9BAtHQZC9h85yBSbxkqh9BA+8HnGhojdw () mail ! gmail ! com
0 kommentar(er)
