passwdgen

Tomasz Grobelny tomasz at grobelny.oswiecenia.net
Sat Aug 6 18:42:28 CEST 2005


Dnia sobota 06 sierpnia 2005 17:50, Michal Moskal napisał:
> On 8/6/05, Tomasz Grobelny <tomasz at grobelny.oswiecenia.net> wrote:
> > Dnia \u015broda 03 sierpnia 2005 13:06, maHo wrote:
> > > Hello
> > >
> > > #v+
> > > $ passwdgen -1p@ --min=4 --max=6
> > > #v-
> > >
> > > and it hangs.
> >
> > Because it uses /dev/random which is not very efficient (see strace).
> > Would it be correct to use /dev/urandom? Does it contain the same amount
> > of entropy or is it somehow simpler (and possibly less secure)?
>
> It depends on how paranoid you are. If you believe NSA, FSB or some
> other kind of highly intelligent aliens are going to reverse SHA-1, so
> they can guess next password based of the previous one then you should
> definitely use /dev/random. OTOH if you believe it you should be also
Ok, but would you trust a password generator that is based on rand function 
from glibc (which in turn returns values based only on system time)? If 
somebody knew you use this password generator he would have to check only 
several hundred thousands passwords to hit the right one. That would be a 
major security flaw.
Thus the questions are:
1. How secure is /dev/urandom? Is is closer to /dev/random or to rand()?
2. Should (according to specs) /dev/random be more secure than /dev/urandom?
3. If /dev/urandom is supposed to be less secure but it is secure enough (in 
current kernel implementation) should passwdgen use it? Yes, because it 
works. No, because it could be insecure if kernel behaviour changes. Other 
opinions?

> aware they could be controlling you from space using one of these
> satellites...
>
:D

-- 
Regards,
Tomasz Grobelny



More information about the pld-devel-en mailing list