[20159] in bugtraq
flaw in RH ``mkpasswd'' command
daemon@ATHENA.MIT.EDU (Shez)
Wed Apr 11 15:14:52 2001
Content-Type: text/plain; charset="iso-8859-1"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID: <01041116323808.01025@kara>
Date: Wed, 11 Apr 2001 16:32:38 +0100
Reply-To: Shez <shez@MOLIONS.COM>
From: Shez <shez@MOLIONS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Hey,
The mkpasswd password generator that ships in the ``expect'' package of (at
least RedHat 6.2) generates only a relatively small number (2^15 for the
default password length) of passwords. Presumably this is a result of trying
to apply too many rules of what is a ``good'' password to the generation
process.
Simple test:
while [ 1 ] ; do mkpasswd >> /tmp/shez/passwords ; done
sleep 16000 # this is long enough to demonstrate enough on my machine
wc -l /tmp/shez/passwords
113544
sort -u /tmp/shez/passwords | wc -l
32193
IIRC I reported this to redhat last year some time.
Cheers
Shez
P.S.
Apologies if you've seen this already, I couldn't see anything in the
archives on it but I've not been onn bugtraq for a while now.
