Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 18 Jan 2012 01:53:11 +0400
From: Solar Designer <>
Subject: Re: pwgen: non-uniform distribution of passwords


On Tue, Jan 17, 2012 at 02:14:17PM -0700, Kurt Seifried wrote:
> I'm of the mind that documenting issues is good but documenting issues
> doesn't always make them go away.
> E.g. documenting a default usrname/password where it can be easily
> changed is reasonable. Documenting a default username/password that
> cannot be changed doesn't really help to the same degree.
> In this case we have something that tells you not to use an unsafe
> option but isn't exceedingly noticeable or clear (if it came up every
> time you used that option there would be a stringer case for no CVE).
> I'm sitting on the fence for this one (I can see it going either way),
> wouldn't mind some more opinions from the smart people on this list.

CVE assignments also don't always make issues go away.

I might update/revise my analysis on this issue in a few days.

Specifically, I now suspect that a (large) part of the apparent
non-uniformity of the distribution was in fact an artifact of my
analysis approach.  I only analyzed sets of 1 million of pwgen'ed
passwords, so I could not directly check the distribution of full
passwords (1 million is too little, even compared to the small keyspace
of these passwords), whereas JtR only uses trigraph frequencies.

I am now generating 1 billion of pwgen'ed passwords, which should take a
couple of days to complete.  (I could speed this up with some changes to
pwgen or by using multiple machines, but I see no need for that.  2 days
is fine with me.)  Based on the 30 million generated so far, it appears
that maybe the primary problem is in fact small keyspace (on the order
of 28 bits, it seems) rather than non-uniform distribution - but this is
also a preliminary conclusion.  Let's wait for the 1 billion, which
should be enough for a more reliable conclusion if the keyspace is in
fact this small.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.