To clarify, the example from the article generates a 20 character string. My last modified example generates a 24 character string.
- Sean On Thu, Feb 4, 2016 at 6:53 AM, Sean Martin <[email protected]> wrote: > Perhaps I should explain why this particular method works for my use case. > We got dinged on an internal audit because we have several hundred AD > accounts whose password has not be changed in quite some time. The vast > majority of these are shared mailbox accounts that are disabled. I used > this method in a script to change the password for all of those disabled > accounts every couple of months. > > In regards to the article, I think I understand your math, but the example > I provided generates a 20 character string, not 15, so how does that affect > your calculation? > > - Sean > > On Wed, Feb 3, 2016 at 7:11 PM, Michael B. Smith <[email protected]> > wrote: > >> So, I just read the article you mentioned, and I have to tell you, I >> think he’s (or she’s) incorrect. >> >> >> >> GetBytes() returns random bytes. That’s 0-255 taking up 8 bits. Ln2(8) = >> 3. Fifteen characters at 3 bits of entropy each will give you 45 bits of >> entropy. But then you convert it to Base64. Base64 is limited to 6 bits of >> information ( [System.Math]::Pow(2, 6) = 64 ). That is by definition where >> the name of the algorithm comes from! Ln2(6) = 2.58. Significant reduction. >> >> >> >> He/she also conflates the fact that while a representation of Base64 is >> generally longer (although not always for small amounts of text) the >> entropy is controlled by the character set, not the representation. >> >> >> >> If I remember correctly, the number of printable ASCII characters is >> actually only 96. Ln2(7) ~= 2.81. But the number is effectively less than >> that, because 32 of those characters are not used. So Ln2(6.5) ~= 2.70. >> >> >> >> So the maximum entropy you can obtain with a 15 character password is >> ~40.5 – assuming that the password is completely random and the available >> character set allows all 96 characters available. That’s almost 50 years to >> brute force. But the password will almost certainly be gibberish. >> >> >> >> Note: There are assumptions in this calculation: [1] I’m assuming online >> cracking attempts, not on-premises. On-premises cracking attempts can be >> much much faster, on the order of 50 million attempts a second; [2] Yes, >> Windows will allow you to enter in non-printable characters for passwords – >> but very few websites (if any?) will allow this. In fact, most websites >> have far more strict password guidelines than “15 maximum characters of >> charset-96”. >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Michael B. Smith >> *Sent:* Wednesday, February 3, 2016 10:36 PM >> *To:* [email protected] >> *Subject:* RE: [powershell] Random Password Generator >> >> >> >> The maximum entropy you get from Base64 is 2.58 bits per character, kinda >> by definition( ln2( 6 ) ). Given that your maximum length is 15 digits, >> that limits you to ~38 bits of entropy. At a thousand guesses a second, >> that’s about 8 years to brute force. Not bad. >> >> >> >> However, you’ve GIVEN UP over 10 bits of entropy because of four constant >> characters, taking you to about 28 bits of entropy. Believe it or not, >> having constants makes a password far far easier to crack. (This is why the >> revelation of a non-random non-prime in netcat/socat is such a big deal – >> it makes Diffie-Helman much much simpler to crack.) >> >> >> >> That’s about 3 days to brute force. >> >> >> >> That is completely believable for someone to spend the time/energy to >> crack. (And remember, the 3 days assumes that your password is the last one >> checked, out of the entire “password universe” – on average, assume half >> that.) >> >> >> >> So, the lesson here is that 15 bytes of base64 is fine (if impossible to >> remember). But don’t use constants. Evah. >> >> >> >> *From:* [email protected] [ >> mailto:[email protected] <[email protected]>] *On >> Behalf Of *Sean Martin >> *Sent:* Wednesday, February 3, 2016 3:24 PM >> *To:* [email protected] >> *Subject:* [powershell] Random Password Generator >> >> >> >> I don't get the opportunity to contribute all that often so I thought I >> would throw this out there in case it helps anyone. >> >> >> I got the method from this article: >> https://www.scriptjunkie.us/2013/09/secure-random-password-generation/ >> >> >> >> I modify the resulting password by prepending/appending a couple of >> special and numerical characters to ensure it meets complexity requirements >> in my current environment. >> >> >> >> Easy way to generate a secure password whenever the need arises. >> Critiques are always welcome. >> >> >> >> =================================================================== >> >> >> >> # Generate Random Password >> >> >> $randombytes = new-object byte[] 15 >> (new-object >> System.Security.Cryptography.RNGCryptoServiceProvider).GetBytes($randombytes) >> $pass = [System.Convert]::ToBase64String($randombytes) >> $password = "&#" + $pass + "82" >> >> >> Write-Host "" >> Write-Host "Your password is: " -ForeGroundColor Cyan -NoNewLine >> Write-Host "$Password" -ForeGroundColor Yellow >> Write-Host "" >> Write-Host "" >> Write-Host "Press enter to exit script..." -ForeGroundColor Cyan >> >> >> $Pause = Read-Host >> >> Exit >> >> >> >> ================================================================== >> >> >> >> - Sean >> >> >> ================================================ >> Did you know you can also post and find answers on PowerShell in the >> forums? >> http://www.myitforum.com/forums/default.asp?catApp=1 >> >> >> ================================================ >> Did you know you can also post and find answers on PowerShell in the >> forums? >> http://www.myitforum.com/forums/default.asp?catApp=1 >> >> ================================================ >> Did you know you can also post and find answers on PowerShell in the >> forums? >> http://www.myitforum.com/forums/default.asp?catApp=1 >> > > > ================================================ > Did you know you can also post and find answers on PowerShell in the > forums? > http://www.myitforum.com/forums/default.asp?catApp=1 > ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1
