|
|
Subscribe / Log in / New account

Fedora account system (FAS) potential information disclosure

Fedora account system (FAS) potential information disclosure

Posted May 11, 2013 5:06 UTC (Sat) by lindi (subscriber, #53135)
In reply to: Fedora account system (FAS) potential information disclosure by SEJeff
Parent article: Fedora account system (FAS) potential information disclosure

The problem with pwgen is that not all passwords are equally probable. Try generating a few million passwords and see how certain passwords tend to offer more commonly than others.

to post comments

Fedora account system (FAS) potential information disclosure

Posted May 13, 2013 15:25 UTC (Mon) by bfields (subscriber, #19510) [Link]

Yeah, looks like it's choosing from a pretty small space of passwords; wonder how long they need to be to have a reasonable amount of entropy?

Fedora account system (FAS) potential information disclosure

Posted May 14, 2013 6:15 UTC (Tue) by salimma (subscriber, #34460) [Link]

There's also pwmake, but there the problem is the passwords generated might contain characters that are rejected by poorly-designed programs.

Fedora account system (FAS) potential information disclosure

Posted May 31, 2013 3:41 UTC (Fri) by pabs (subscriber, #43278) [Link]

If you use the -s option it uses /dev/random to generate passwords. Maybe that should be the default?


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds