User: Password:
|
|
Subscribe / Log in / New account

Fedora account system (FAS) potential information disclosure

Fedora account system (FAS) potential information disclosure

Posted May 11, 2013 5:06 UTC (Sat) by lindi (subscriber, #53135)
In reply to: Fedora account system (FAS) potential information disclosure by SEJeff
Parent article: Fedora account system (FAS) potential information disclosure

The problem with pwgen is that not all passwords are equally probable. Try generating a few million passwords and see how certain passwords tend to offer more commonly than others.


(Log in to post comments)

Fedora account system (FAS) potential information disclosure

Posted May 13, 2013 15:25 UTC (Mon) by bfields (subscriber, #19510) [Link]

Yeah, looks like it's choosing from a pretty small space of passwords; wonder how long they need to be to have a reasonable amount of entropy?

Fedora account system (FAS) potential information disclosure

Posted May 14, 2013 6:15 UTC (Tue) by salimma (subscriber, #34460) [Link]

There's also pwmake, but there the problem is the passwords generated might contain characters that are rejected by poorly-designed programs.

Fedora account system (FAS) potential information disclosure

Posted May 31, 2013 3:41 UTC (Fri) by pabs (subscriber, #43278) [Link]

If you use the -s option it uses /dev/random to generate passwords. Maybe that should be the default?


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds