On Tue, Feb 27, 2007 at 10:25:13AM +0100, Marc Haber wrote: > severity #412618 important > thanks > > On Tue, Feb 27, 2007 at 04:19:30AM +0200, Sami Liedes wrote: > > Package: apg > > Version: 2.2.3.dfsg.1-1 > > Severity: grave > > Tags: security > > Justification: user security hole > > NACK. This is not an RC bug. > > apg is not a replacement for common sense.
Huh? What's the common sense that says you can't trust in a password
generator that generates passwords that _look_ quite secure, but are
not? I know I have trusted apg on amd64 before to generate secure
passwords.
For example, it's not at all far fetched that someone could use apg to
generate passwords for 200 users at once. It's hard to catch if it
manages to give 10 users the same password, yet knowledge of that bug
would give an attacker tremendous advantage. Of course the PRNG is so
broken that it might be possible to mount more advanced attacks
against it too.
Sami
signature.asc
Description: Digital signature
