Your message dated Wed, 15 Jun 2005 01:32:36 -0400
with message-id <[EMAIL PROTECTED]>
and subject line Bug#276976: fixed in pwgen 2.04-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 17 Oct 2004 20:23:18 +0000
>From [EMAIL PROTECTED] Sun Oct 17 13:23:18 2004
Return-path: <[EMAIL PROTECTED]>
Received: from trofast.sesse.net [129.241.93.32]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CJHYj-0005gf-00; Sun, 17 Oct 2004 13:23:18 -0700
Received: from sesse by trofast.sesse.net with local (Exim 3.36 #1 (Debian))
id 1CJHYh-0002zj-00; Sun, 17 Oct 2004 22:23:15 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "Steinar H. Gunderson" <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: pwgen: documentation does not inform the user that the default
passwords are
insecure
X-Mailer: reportbug 2.99.5
Date: Sun, 17 Oct 2004 22:23:15 +0200
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Package: pwgen
Version: 2.03-1
Severity: important
Tags: security
pwgen's default ("pronouncable" eight-letter passwords, ie. without -s)
passwords only span a very limited range of the keyspace; furthermore,
enumerating them all in a program based on pwgen's source code is not
very hard. I did so a while ago, and ended up with only about 10^9
unique passwords (which is a _lot_ less than the 60^8 or whatever you
get with -s); this is probably too much for an on-line password
brute force attack, but it's definitely within reach for most offline
attacks (ie. feed it as a dictionary to John the Ripper for cracking
/etc/shadow).
The documentation should probably warn the users about this; I'm not
advocating -s by default (that would probably lead to people simply
writing down their passwords), but people should at least be made aware
that the generated passwords may be crackable.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.8.1
Locale: LANG=C, LC_CTYPE=en_US.ISO8859-1
Versions of packages pwgen depends on:
ii libc6 2.3.2.ds1-17 GNU C Library: Shared libraries an
-- no debconf information
---------------------------------------
Received: (at 276976-close) by bugs.debian.org; 15 Jun 2005 05:39:20 +0000
>From [EMAIL PROTECTED] Tue Jun 14 22:39:20 2005
Return-path: <[EMAIL PROTECTED]>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DiQcS-0003kL-00; Tue, 14 Jun 2005 22:39:20 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DiQVw-0000U0-00; Wed, 15 Jun 2005 01:32:36 -0400
From: [EMAIL PROTECTED] (Theodore Y. Ts'o)
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#276976: fixed in pwgen 2.04-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Wed, 15 Jun 2005 01:32:36 -0400
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 4
Source: pwgen
Source-Version: 2.04-1
We believe that the bug you reported is fixed in the latest version of
pwgen, which is due to be installed in the Debian FTP archive:
pwgen_2.04-1.diff.gz
to pool/main/p/pwgen/pwgen_2.04-1.diff.gz
pwgen_2.04-1.dsc
to pool/main/p/pwgen/pwgen_2.04-1.dsc
pwgen_2.04-1_i386.deb
to pool/main/p/pwgen/pwgen_2.04-1_i386.deb
pwgen_2.04.orig.tar.gz
to pool/main/p/pwgen/pwgen_2.04.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Theodore Y. Ts'o <[EMAIL PROTECTED]> (supplier of updated pwgen package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 15 Jun 2005 00:39:10 -0400
Source: pwgen
Binary: pwgen
Architecture: source i386
Version: 2.04-1
Distribution: unstable
Urgency: low
Maintainer: Theodore Y. Ts'o <[EMAIL PROTECTED]>
Changed-By: Theodore Y. Ts'o <[EMAIL PROTECTED]>
Description:
pwgen - Automatic Password generation
Closes: 51307 154561 182595 276307 276976 282076 311461
Changes:
pwgen (2.04-1) unstable; urgency=low
.
* New upstream version.
* Adopt maintainership of pwgen. (Closes: #282076)
* Fix minor bug in man page. (Closes: #311461)
* Convert from debmake to debhelper
* Add the --sha1 option so that pwgen uses the SHA1 hash to generate
(not so) random passwords.
* Add --symbols option which adds special symbols to the password.
(Closes: #154561)
* Add short options for --no-capitalize and --no-numerals and make those
options work when --secure is specified.
* Add --ambiguous option which avoids characters that can be confused by
the user. (Closes: #51307)
* Fix bug where --no-capitalized and --no-numerals were ignored for short
passwords. (Closes: #276307)
* In the pwgen man page, explain that human-memorable passwords are
subject to off-line brute force attacks. (Closes: #276976)
* Allow one or more capital letters and digits in human-friendly
passwords (Closes: #182595)
Files:
f6a75e4e0f2169e187948e8f624a3877 544 admin optional pwgen_2.04-1.dsc
c6116603f89a65d1b6ea4bdce00106fb 47276 admin optional pwgen_2.04.orig.tar.gz
27337e7ac1433e6bbb7304cb292b333b 20 admin optional pwgen_2.04-1.diff.gz
7807f22617f13270d79753ca8f01b136 16756 admin optional pwgen_2.04-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFCr7e77To545NnTEARAuQ4AKCK+7LLMXQIoJg9Lj/muzjSGxTqhgCfVmyE
576eNyWmVWLIHI87CJ2hykk=
=RpcM
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
