package: lwat severity: wishlist version: 0.16-1 Hi,
Nico Gold recently did a code review of lwat and found no real problems, cheers! (And thanks, Nico.) The only problematic thing he found was the password creation function which creates very simple passwords. On purpose, I guess :-) Still it would be nice, if there would be a configuration option to also be able to use "pwgen -s 12 1" :-) regards, Holger ---------- Forwarded Message ---------- Subject: insecure pwgen function in lwat Date: Wednesday 05 December 2007 22:27 From: Nico Golde <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Hi, during reading of the lwat source code I stumbled over the following function: function pwgen(){ $pw = ''; $c = 'bcdfghjkmnprstvwzBCDFGHJKLMNPQRSTVW'; //consonants except hard to speak ones $v = 'aeiouAEU'; //vowels $a = $c.$v; //both //use two syllables... for($i=0;$i < 2; $i++){ $pw .= $c[rand(0, strlen($c)-1)]; $pw .= $v[rand(0, strlen($v)-1)]; $pw .= $a[rand(0, strlen($a)-1)]; } //... and add a nice number $pw .= rand(10,99); return $pw; } This does give us pretty much of information of how the passwords will look like. Passwords are 8 characters long 1st and 4th character are from bcdfghjkmnprstvwzBCDFGHJKLMNPQRSTVW 2nd and 5th character are from aeiouAEU 3rd and 6th character are from bcdfghjkmnprstvwzBCDFGHJKLMNPQRSTVWaeiouAEU 7st character is between 1 and 9 8st character is between 0 and 9. I am too lazy to calculate how much possibilities this will have but its really pretty well brute-forceable in my opinion and should not be considered to be secure. I guess this algorithm is intended to create passwords that a human can remember? :) Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. -------------------------------------------------------
pgphYpQhJzejI.pgp
Description: PGP signature