On Thu, Jun 12, 2008 at 02:17:59AM +0100, RW wrote: > > On Wed, 11 Jun 2008 14:53:56 -0400 > Andrew Berry <[EMAIL PROTECTED]> wrote: > > > Zbigniew Szalbot wrote: > > > Hello, > > > > > > Excuse me my ignorance. Is there a utility in FreeBSD that would > > > allow me to generate random passwords without actually creating any > > > accounts or modifying existing ones? I am looking for something to > > > allow me to generate a random string of characters. I know I can > > > randomly hit the keyboard but if anything like that exists, many > > > thanks for your advice. :) > > > > > > Best regards, > > I've used pwgen from ports. It sounds similar to the other > > suggestions. > > There are actually two versions of this in ports: sysutils/pwgen and > sysutils/pwgen2. The latter is an independent rewrite rather than a > version 2, and seems to be much more secure. > > The problem with pwgen is that its PRNG is very weakly seeded, making > it vulnerable to simple brute-force attacks. As most of the entropy > comes from the time (in *integer* seconds), it's particularly weak if an > attacker knows roughly when the password was generated. An attacker with > local access may even be able to compute the passwords directly.
Thanks for the heads-up. > > pwgen2 gets random numbers directly from /dev/random, which is how > it should be. > > IMO pwgen should be removed from the ports tree, or failing that should > be patched to use arc4random(), which is self-seeding. I don't really > see the point in keeping it though. It would be nice if it could be patched and a portaudit warning issued for it so users could update. The patching would be beyond me unfortunately...or fortunately, as I would likely make it *really* insecure ;) Regards, -- Frank Contact info: http://www.shute.org.uk/misc/contact.html _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
