What if the password generators are hacked?
Submitted by robot_terror on Wed, 01/30/2008 - 09:18.
For many years I have recommended the use of online (and off-line) password generators for people needing assistance with making relatively strong passwords. But I've long had this nagging suspicion trying to express itself and yet have not until now. Right now, in fact.
What if the password generators are hacked or compromised? More specifically, what if the password generators choose from a set list of passwords that brute-force attackers then use in their automated attacks? Or, what if the list of generated passwords is compromised and, worse, related to the requesting IP address?
Limiting the possibilities of passwords dramatically increases the chances of brute-force password attacks succeeding.
A client once asked why he needed to change a password that had been guessed by an attacker -- after all "X" website rated the password as "Very Strong". I told him about my favorite password of all time -- the one used to launch the US nuclear missiles aimed at the Soviet Union in the movie Wargames. For the last several minutes of the film the password CPE1704TKS is flashing on the screen. Finally the computer realizes that thermonuclear war is less competitive than tic-tac-toe and stops the launch. Just because CPE1704TKS is a nice, letter/number combination that is not related to my user name, domain or pet iguana, doesn't mean I should use it for anything. After all, it's a well-known password. The client understood this (non-technical) explanation and changed his password (probably to CPE1704TKS1, but that's another story).
So, just as one cannot use a well-known password, even if it is well-formed, should we encourage the use of programmatically generated or, even more suspicious, website generated passwords?
Tell me what you think.
Robot.
apt-get install apg - Automatic Password Generator
Hello, robot!
Thanks for the insight into so many worlds of technical spaghetti!
apg was written by Adel I. Mirzazhanov. His website houses an online version of his password generator. It may be worth it to ask his opinion on this issue, if the opportunity arises. I prefer to use the command line method, myself.
I use apg on a regular basis for generating random passwords. According to the man page, the "default algorithm is pronounceable password generation algorithm designed by Morrie Gasser and described in 'A Random Word Generator For Pronouceable Passwords'" from NTIS. But, that is just the default.
I use this syntax with apg:
apg -a 1 -n 5 -m 8 -x 8 -MNCL -l
This generates five 8-character random, unpronounceable passwords at a time, using upper and lower case and numerals, and outputs a "military-speak" prnunciation guide, as such:
$ apg oI0wnUy9 oscar-India-ZERO-whiskey-november-Uniform-yankee-NINE tRy5QQad tango-Romeo-yankee-FIVE-Quebec-Quebec-alfa-delta sVv56deq sierra-Victor-victor-FIVE-SIX-delta-echo-quebec MTfAg1sp Mike-Tango-foxtrot-Alfa-golf-ONE-sierra-papa j3nkSgn6 juliett-THREE-november-kilo-Sierra-golf-november-SIX
Now, going further in the man page for apg, I find that the second of the two algorithms it uses adheres to RFC1750, with exception that it uses CAST or SHA-1 rather than Triple DES. It uses these encrypton algorithms in combination with the "local system time in precision of microseconds (see gettimeofday(2)) and /dev/random (if available) to produce initial random seed."
From what I can tell, it works well, and is not (easily) hackable or archiveable for use in an attempt to compromise a server.
Furthermore, you CAN specify a dictionary file for use in password generation, however, it is used as a filter, so that generated passwords do not match it. ALternatively, there is an option which asks the user for a random sequence that is used as a seed for random password generation.
I run Ubuntu 7.04 on the laptop which houses most of my apg usage, and have been quite happy with every password apg has given me from the loins of thin, random air.
/cs
Good info - thanks
Dear cs,
I took your advice and added the AGPOnline software to my server. In fact, you're soaking in it! I mean, I added it to the right column of the page and on each request "random" passwords are generated and made available for consideration.
Thanks for the recommendation!
Robot