Date: Fri, 11 Oct 2013 09:28:26 +1100 From: Michael Samuel <mik@...net.net> To: oss-security@...ts.openwall.com, security@...ian.org Subject: Re: RESEND: CVE Request: pwgen On 11 October 2013 00:35, Marcus Meissner <meissner@...e.de> wrote: > (CVE worthyness: > It does not fully meet the security expectations of generating > a non-weak password by default.... > ) "Exploiting in the wild" isn't what I do, but it wouldn't be hard to weed out some pwgen passwords from public dumps simply by doing: pwgen -cn 8 1000000000 | john --stdin pwfile I have a program that tries to mimic the internal state and generate in order of probability, but it still needs some tuning. There will be a couple of slides on pwgen at my Ruxcon talk too. For distros not wanting to ship an insecure program, see https://github.com/therealmik/pwgen/compare/securityfixes I think somebody at Debian needs to do an NMU, since the maintainer is still not responding. Regards, Michael
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.