[20178] in bugtraq
Re: flaw in RH ``mkpasswd'' command
daemon@ATHENA.MIT.EDU (Lee Howard)
Thu Apr 12 15:54:07 2001
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-ID: <3.0.6.32.20010411175527.00aa7c70@server.deanox.com>
Date: Wed, 11 Apr 2001 17:55:27 -0600
Reply-To: Lee Howard <faxguy@DEANOX.COM>
From: Lee Howard <faxguy@DEANOX.COM>
X-To: Shez <shez@MOLIONS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <01041116323808.01025@kara>
At 04:32 PM 4/11/01 +0100, Shez wrote:
>Hey,
> The mkpasswd password generator that ships in the ``expect'' package of (at
>least RedHat 6.2) generates only a relatively small number (2^15 for the
>default password length) of passwords. Presumably this is a result of trying
>to apply too many rules of what is a ``good'' password to the generation
>process.
Same goes for RedHat 7.0
wc -l /tmp/passwords
188859
sort -u /tmp/passwords | wc -l
32166
Although I wonder if they're not outweighing the risk of dropping some of
those rules over the risk of having fewer possible passwords. (Not to say
that I agree with that, though.)
Lee.
