Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 7 Dec 2010 08:09:04 +0300
From: Solar Designer <>
Subject: Re: pwgen


On Mon, Dec 06, 2010 at 10:31:02PM -0500, Rich Rumble wrote:
> I'm wondering if the windows version might offer more entropy than it's
> CLI cousin?

Actually, the Windows program you found:

appears to have almost nothing in common (except for the purpose and a
portion of the name) with the Unix program we were talking about:

The current version numbers look similar, but this appears to be a mere

There are a few other things called "pwgen" as well.

As to entropy, the problem of pwgen by Theodore Ts'o was not a lack of
entropy in its input randomness, but rather issues in the way the input
entropy was being encoded, turning uniformly distributed random numbers
read from /dev/urandom into a non-uniform distribution of passwords.

> I've generated a few lists, hashed and then
> cracked them all into a john.pot file.

That's fine, but you could simply create a fake john.pot by prefixing
every password with a colon:

sed 's/^/:/' < generated-passwords.lst > john.pot

> Then generated the chr files. These
> lists did not use Brad's list these were all unique passes I used pwgen to
> generate.
> I then used -i=pwgen (my custom mode in my conf) and
> running for 6hrs so far no cracks on the output.txt file. (new john.pot as
> well).

Perhaps pwgen-win does not have the problem.  Perhaps it simply does not
try to make those passwords "pronounceable", which Ted's pwgen does by
default.  The "-s" option to Ted's pwgen similarly defeats the attack.

       -s, --secure
              Generate completely random, hard-to-memorize  passwords.   These
              should  only be used for machine passwords, since otherwise it's
              almost guaranteed that users will simply write the password on a
              piece of paper taped to the monitor...


P.S. You managed to post your message to a new thread, even though you
reused the Subject.  If you want to post to an existing thread, you need
to use your mail program's "reply" feature on an existing message in the
thread.  (Similarly, whenever you actually do want to start a new
thread, you need to send your message to the posting address anew, not
as a "reply" to anything.)  Thanks!

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.