oss-sec mailing list archives
Re: pwgen: non-uniform distribution of passwords
From: Solar Designer <solar () openwall com>
Date: Wed, 18 Jan 2012 01:53:11 +0400
Kurt, On Tue, Jan 17, 2012 at 02:14:17PM -0700, Kurt Seifried wrote:
I'm of the mind that documenting issues is good but documenting issues doesn't always make them go away. E.g. documenting a default usrname/password where it can be easily changed is reasonable. Documenting a default username/password that cannot be changed doesn't really help to the same degree. In this case we have something that tells you not to use an unsafe option but isn't exceedingly noticeable or clear (if it came up every time you used that option there would be a stringer case for no CVE). I'm sitting on the fence for this one (I can see it going either way), wouldn't mind some more opinions from the smart people on this list.
CVE assignments also don't always make issues go away. I might update/revise my analysis on this issue in a few days. Specifically, I now suspect that a (large) part of the apparent non-uniformity of the distribution was in fact an artifact of my analysis approach. I only analyzed sets of 1 million of pwgen'ed passwords, so I could not directly check the distribution of full passwords (1 million is too little, even compared to the small keyspace of these passwords), whereas JtR only uses trigraph frequencies. I am now generating 1 billion of pwgen'ed passwords, which should take a couple of days to complete. (I could speed this up with some changes to pwgen or by using multiple machines, but I see no need for that. 2 days is fine with me.) Based on the 30 million generated so far, it appears that maybe the primary problem is in fact small keyspace (on the order of 28 bits, it seems) rather than non-uniform distribution - but this is also a preliminary conclusion. Let's wait for the 1 billion, which should be enough for a more reliable conclusion if the keyspace is in fact this small. Alexander
Current thread:
- pwgen: non-uniform distribution of passwords Solar Designer (Jan 17)
- Re: pwgen: non-uniform distribution of passwords Solar Designer (Jan 17)
- Re: Re: pwgen: non-uniform distribution of passwords Henri Salo (Jan 17)
- Re: Re: pwgen: non-uniform distribution of passwords Kurt Seifried (Jan 17)
- Re: pwgen: non-uniform distribution of passwords Solar Designer (Jan 17)
- Re: Re: pwgen: non-uniform distribution of passwords Steven M. Christey (Jan 17)
- Re: Re: pwgen: non-uniform distribution of passwords Henri Salo (Jan 17)
- R: pwgen: non-uniform distribution of passwords valentino.angeletti (Jan 19)
- Re: pwgen: non-uniform distribution of passwords Solar Designer (Jan 19)
- Re: Re: pwgen: non-uniform distribution of passwords Michael Niedermayer (Jan 19)
- Re: pwgen: non-uniform distribution of passwords Solar Designer (Jan 22)
- Re: pwgen: non-uniform distribution of passwords Solar Designer (Jan 17)