Control: severity -1 important I have split two parts into separate bugs, I think the remainder are ok:
CVE-2013-4440 non-tty passwords are trivially weak by default * #725507, my assessment: grave CVE-2013-4441 Phonemes mode has heavy bias and is enabled by default * works as designed CVE-2013-4442 Silent fallback to insecure entropy * #767008, my assessment: important CVE-2013-4443 Secure mode has bias towards numbers and uppercase letters * REJECTED, actually improves security! CVE-2013-4443 has been rejected from the CVE database. So let's discuss CVE-2013-4441. Such a bias means the program does what it's designed to do: it produces pronounceable passwords rather than a pure line noise. These are not necessarily less secure -- you just need a longer length than on line noise. Recently this has been popularized as the "correct horse battery staple" issue: long passwords are far, far easier to memorize for a human than shorter but more complex ones, while being capable of providing as much or more entropy. What remains is that pwgen's default length, 8 characters, might been adequate when the program was written, but is insecure today. But let's discuss that elsewhere. So I think this bug should be closed. Being not a security expert myself, I'm merely degrading it to "important" for now, until someone else can confirm and close. I'll bump #725507 to grave after the next britney run. -- // If you believe in so-called "intellectual property", please immediately // cease using counterfeit alphabets. Instead, contact the nearest temple // of Amon, whose priests will provide you with scribal services for all // your writing needs, for Reasonable and Non-Discriminatory prices. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
