Perhaps I should explain why this particular method works for my use case. We got dinged on an internal audit because we have several hundred AD accounts whose password has not be changed in quite some time. The vast majority of these are shared mailbox accounts that are disabled. I used this method in a script to change the password for all of those disabled accounts every couple of months.
In regards to the article, I think I understand your math, but the example I provided generates a 20 character string, not 15, so how does that affect your calculation? - Sean On Wed, Feb 3, 2016 at 7:11 PM, Michael B. Smith <[email protected]> wrote: > So, I just read the article you mentioned, and I have to tell you, I think > he’s (or she’s) incorrect. > > > > GetBytes() returns random bytes. That’s 0-255 taking up 8 bits. Ln2(8) = > 3. Fifteen characters at 3 bits of entropy each will give you 45 bits of > entropy. But then you convert it to Base64. Base64 is limited to 6 bits of > information ( [System.Math]::Pow(2, 6) = 64 ). That is by definition where > the name of the algorithm comes from! Ln2(6) = 2.58. Significant reduction. > > > > He/she also conflates the fact that while a representation of Base64 is > generally longer (although not always for small amounts of text) the > entropy is controlled by the character set, not the representation. > > > > If I remember correctly, the number of printable ASCII characters is > actually only 96. Ln2(7) ~= 2.81. But the number is effectively less than > that, because 32 of those characters are not used. So Ln2(6.5) ~= 2.70. > > > > So the maximum entropy you can obtain with a 15 character password is > ~40.5 – assuming that the password is completely random and the available > character set allows all 96 characters available. That’s almost 50 years to > brute force. But the password will almost certainly be gibberish. > > > > Note: There are assumptions in this calculation: [1] I’m assuming online > cracking attempts, not on-premises. On-premises cracking attempts can be > much much faster, on the order of 50 million attempts a second; [2] Yes, > Windows will allow you to enter in non-printable characters for passwords – > but very few websites (if any?) will allow this. In fact, most websites > have far more strict password guidelines than “15 maximum characters of > charset-96”. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Michael B. Smith > *Sent:* Wednesday, February 3, 2016 10:36 PM > *To:* [email protected] > *Subject:* RE: [powershell] Random Password Generator > > > > The maximum entropy you get from Base64 is 2.58 bits per character, kinda > by definition( ln2( 6 ) ). Given that your maximum length is 15 digits, > that limits you to ~38 bits of entropy. At a thousand guesses a second, > that’s about 8 years to brute force. Not bad. > > > > However, you’ve GIVEN UP over 10 bits of entropy because of four constant > characters, taking you to about 28 bits of entropy. Believe it or not, > having constants makes a password far far easier to crack. (This is why the > revelation of a non-random non-prime in netcat/socat is such a big deal – > it makes Diffie-Helman much much simpler to crack.) > > > > That’s about 3 days to brute force. > > > > That is completely believable for someone to spend the time/energy to > crack. (And remember, the 3 days assumes that your password is the last one > checked, out of the entire “password universe” – on average, assume half > that.) > > > > So, the lesson here is that 15 bytes of base64 is fine (if impossible to > remember). But don’t use constants. Evah. > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Sean Martin > *Sent:* Wednesday, February 3, 2016 3:24 PM > *To:* [email protected] > *Subject:* [powershell] Random Password Generator > > > > I don't get the opportunity to contribute all that often so I thought I > would throw this out there in case it helps anyone. > > > I got the method from this article: > https://www.scriptjunkie.us/2013/09/secure-random-password-generation/ > > > > I modify the resulting password by prepending/appending a couple of > special and numerical characters to ensure it meets complexity requirements > in my current environment. > > > > Easy way to generate a secure password whenever the need arises. Critiques > are always welcome. > > > > =================================================================== > > > > # Generate Random Password > > > $randombytes = new-object byte[] 15 > (new-object > System.Security.Cryptography.RNGCryptoServiceProvider).GetBytes($randombytes) > $pass = [System.Convert]::ToBase64String($randombytes) > $password = "&#" + $pass + "82" > > > Write-Host "" > Write-Host "Your password is: " -ForeGroundColor Cyan -NoNewLine > Write-Host "$Password" -ForeGroundColor Yellow > Write-Host "" > Write-Host "" > Write-Host "Press enter to exit script..." -ForeGroundColor Cyan > > > $Pause = Read-Host > > Exit > > > > ================================================================== > > > > - Sean > > > ================================================ > Did you know you can also post and find answers on PowerShell in the > forums? > http://www.myitforum.com/forums/default.asp?catApp=1 > > > ================================================ > Did you know you can also post and find answers on PowerShell in the > forums? > http://www.myitforum.com/forums/default.asp?catApp=1 > > ================================================ > Did you know you can also post and find answers on PowerShell in the > forums? > http://www.myitforum.com/forums/default.asp?catApp=1 > ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1
