lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 17 Jan 2012 23:51:31 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Cc: bugtraq@...urityfocus.com, Theodore Ts'o <tytso@....edu> Subject: Re: pwgen: non-uniform distribution of passwords On Tue, Jan 17, 2012 at 02:01:38PM +0400, Solar Designer wrote: > Time running (D:HH:MM) - Keyspace searched - Passwords cracked > 0:00:02 - 0.0008% - 6.0% > 0:01:00 - 0.025% - 19.5% > 0:20:28 - 0.5% - 39.1% > 1:16:24 - 1.0% - 47.1% > 3:00:48 - 1.8% - 55.2% > 3:21:44 - 2.3% - 59.4% > 5:05:17 - 3.1% - 64.2% ... > I did some testing of pwgen-2.06's "pronounceable" passwords, and I > think they might be weaker than you had expected (depends on what you > had expected, which I obviously don't know). It was just pointed out to me off-list that the man page for pwgen specifically mentions that this kind of passwords "should not be used in places where the password could be attacked via an off-line brute-force attack." I had missed that detail or at least I did not recall it. This kind of documentation certainly mitigates the problem to some extent. Yet I think this gives users the perception that only the keyspace is smaller, not that the generated passwords are distributed non-uniformly. In fact, most users would not even think of the latter risk. The passwords look much stronger than they actually are, and I think this is a problem. They look like almost random sequences of 8 characters, whereas the level of security for 6% to 20% of them is similar to that of dictionary words with minor mangling. Sure, there's a trade-off, but non-uniform distribution didn't have to be part of it. That's an implementation shortcoming. > Specifically, not only the keyspace is significantly smaller than that > for "secure" passwords (which I'm sure you were aware of), but also the > distribution is highly non-uniform. My guess is that this results from > different phonemes containing the same characters. So certain > substrings can be produced in more than one way, and then some > characters turn out to be more probable than some others (especially as > it relates to their conditional probabilities given certain preceding > characters). Alexander
Powered by blists - more mailing lists