Control: tags -1 +patch
So... how exactly are these vulnerabilities?
2. is what this program is supposed to do: produce _pronounceable_ passwords
instead of pure line noise. Sure, these do have less entropy than pure line
noise for the same length, but the point is to make something that's
possible to remember. If I wanted fully random unbiased ASCII characters,
I'd use a perl one-liner instead of a complex generator like pwgen.
As for 4., as Steven remarked, this is done intentionally to placate
"password quality checkers". Also, while allowing an all-lowercase password
2^-8 of the time does have negligibly more resilience against an exhaustive
attack, it is massively worse against attacks prevalent in the real world.
Thus, paying this small amount of entropy is well worth it.
And as for 3., please read http://www.2uo.de/myths-about-urandom/
Heck, FreeBSD doesn't even _have_ /dev/random in Linux's sense -- and no one
is calling it insecure.
So these three points are complete non-issues.
I do agree with 1., though, so here's a patch to fix it.
Let's have pwgen in jessie!
--
// If you believe in so-called "intellectual property", please immediately
// cease using counterfeit alphabets. Instead, contact the nearest temple
// of Amon, whose priests will provide you with scribal services for all
// your writing needs, for Reasonable and Non-Discriminatory prices.
diff -Nurd pwgen-2.06.orig/pwgen.1 pwgen-2.06/pwgen.1
--- pwgen-2.06.orig/pwgen.1 2007-07-05 01:42:19.000000000 +0200
+++ pwgen-2.06/pwgen.1 2014-10-21 11:54:31.203356332 +0200
@@ -43,26 +43,6 @@
will only generate one password, as this tends to be much more convenient
for shell scripts, and in order to be
compatible with previous versions of this program.
-.PP
-In addition, for
-backwards compatibility reasons, when stdout is not a tty and secure
-password generation mode has not been requested,
-.B pwgen
-will generate less secure passwords, as
-if the
-.B \-0A
-options had been passed to it on the command line. This can be
-overriden using the
-.B \-nc
-options. In the future, the behavior when stdout is a tty may change, so
-shell scripts using
-.B pwgen
-should explicitly specify the
-.B \-nc
-or
-.B \-0A
-options. The latter is not recommended for security reasons, since
-such passwords are far too easy to guess.
.B
.SH OPTIONS
.TP
diff -Nurd pwgen-2.06.orig/pwgen.c pwgen-2.06/pwgen.c
--- pwgen-2.06.orig/pwgen.c 2007-07-05 01:42:19.000000000 +0200
+++ pwgen-2.06/pwgen.c 2014-10-21 11:51:16.361031403 +0200
@@ -96,10 +96,9 @@
pwgen = pw_phonemes;
pw_number = pw_random_number;
- if (isatty(1)) {
+ if (isatty(1))
do_columns = 1;
- pwgen_flags |= PW_DIGITS | PW_UPPERS;
- }
+ pwgen_flags |= PW_DIGITS | PW_UPPERS;
while (1) {
#ifdef HAVE_GETOPT_LONG
