From owner-freebsd-questions@FreeBSD.ORG Thu Jun 12 01:33:45 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0F8BC1065677 for ; Thu, 12 Jun 2008 01:33:45 +0000 (UTC) (envelope-from fbsd06+W2=45d47531@mlists.homeunix.com) Received: from fallback-in1.mxes.net (fallback-out1.mxes.net [216.86.168.190]) by mx1.freebsd.org (Postfix) with ESMTP id D362F8FC14 for ; Thu, 12 Jun 2008 01:33:44 +0000 (UTC) (envelope-from fbsd06+W2=45d47531@mlists.homeunix.com) Received: from mxout-03.mxes.net (mxout-03.mxes.net [216.86.168.178]) by fallback-in1.mxes.net (Postfix) with ESMTP id B97B9163D94 for ; Wed, 11 Jun 2008 21:18:03 -0400 (EDT) Received: from gumby.homeunix.com. (unknown [87.81.140.128]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTP id 1390323E3EF for ; Wed, 11 Jun 2008 21:18:01 -0400 (EDT) Date: Thu, 12 Jun 2008 02:17:59 +0100 From: RW To: freebsd-questions@freebsd.org Message-ID: <20080612021759.35dc0838@gumby.homeunix.com.> In-Reply-To: <48501F44.3010606@sentex.net> References: <484F7CBE.5060401@lc-words.com> <48501F44.3010606@sentex.net> X-Mailer: Claws Mail 3.4.0 (GTK+ 2.12.10; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: generating random passwords X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jun 2008 01:33:45 -0000 On Wed, 11 Jun 2008 14:53:56 -0400 Andrew Berry wrote: > Zbigniew Szalbot wrote: > > Hello, > > > > Excuse me my ignorance. Is there a utility in FreeBSD that would > > allow me to generate random passwords without actually creating any > > accounts or modifying existing ones? I am looking for something to > > allow me to generate a random string of characters. I know I can > > randomly hit the keyboard but if anything like that exists, many > > thanks for your advice. :) > > > > Best regards, > I've used pwgen from ports. It sounds similar to the other > suggestions. There are actually two versions of this in ports: sysutils/pwgen and sysutils/pwgen2. The latter is an independent rewrite rather than a version 2, and seems to be much more secure. The problem with pwgen is that its PRNG is very weakly seeded, making it vulnerable to simple brute-force attacks. As most of the entropy comes from the time (in *integer* seconds), it's particularly weak if an attacker knows roughly when the password was generated. An attacker with local access may even be able to compute the passwords directly. pwgen2 gets random numbers directly from /dev/random, which is how it should be. IMO pwgen should be removed from the ports tree, or failing that should be patched to use arc4random(), which is self-seeding. I don't really see the point in keeping it though.