Date: Wed, 18 Jan 2012 01:53:11 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: pwgen: non-uniform distribution of passwords Kurt, On Tue, Jan 17, 2012 at 02:14:17PM -0700, Kurt Seifried wrote: > I'm of the mind that documenting issues is good but documenting issues > doesn't always make them go away. > > E.g. documenting a default usrname/password where it can be easily > changed is reasonable. Documenting a default username/password that > cannot be changed doesn't really help to the same degree. > > In this case we have something that tells you not to use an unsafe > option but isn't exceedingly noticeable or clear (if it came up every > time you used that option there would be a stringer case for no CVE). > I'm sitting on the fence for this one (I can see it going either way), > wouldn't mind some more opinions from the smart people on this list. CVE assignments also don't always make issues go away. I might update/revise my analysis on this issue in a few days. Specifically, I now suspect that a (large) part of the apparent non-uniformity of the distribution was in fact an artifact of my analysis approach. I only analyzed sets of 1 million of pwgen'ed passwords, so I could not directly check the distribution of full passwords (1 million is too little, even compared to the small keyspace of these passwords), whereas JtR only uses trigraph frequencies. I am now generating 1 billion of pwgen'ed passwords, which should take a couple of days to complete. (I could speed this up with some changes to pwgen or by using multiple machines, but I see no need for that. 2 days is fine with me.) Based on the 30 million generated so far, it appears that maybe the primary problem is in fact small keyspace (on the order of 28 bits, it seems) rather than non-uniform distribution - but this is also a preliminary conclusion. Let's wait for the 1 billion, which should be enough for a more reliable conclusion if the keyspace is in fact this small. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ