Package: makepasswd Version: 1.10-10 Severity: important Dear Maintainer,
makepasswd, by default, generates passwords that can be cracked in one day or one month by a single PC with a fast GPU. Why it is true: By default the generated password is from length 8 to 10. Nowdays, a 8 length password is cracked in one day by a single pc with a fast GPU. I saw this using a testing web site (http://password-checker.online- domain-tools.com/) and also by my own calculations based on the number or passwords tested by good crackers. Why it's a big security problem: -users relies on the default values to get security -using this program, users are led to believe that a 8/9 length password is a good security (this was my case). For example I crypted my sensible data with a 9 length password. Security is nothing with only good programs, we need also good practices, good default parameters and good informations. Suggestion: set the password to length 14 and give the information that this is a good security level in 2012. We could set a lower length but the password should resist not just now but also in a few years. Regards -- System Information: Debian Release: 9.5 Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-7-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr:en_US (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages makepasswd depends on: ii libbytes-random-secure-perl 0.28-1 ii libcrypt-passwdmd5-perl 1.3-10 ii perl 5.24.1-3+deb9u4 makepasswd recommends no packages. makepasswd suggests no packages. -- no debconf information