Not to be dense, but why would you get dinged on passwords for disabled accounts? The password is completely irrelevant on a disabled account—unless it’s enabled/disabled on some sort of rotation, but I can’t imagine what scenario that would be for shared mailboxes.
From: [email protected] [mailto:[email protected]] On Behalf Of Sean Martin Sent: Thursday, February 04, 2016 7:58 AM To: [email protected] Subject: Re: [powershell] Random Password Generator To clarify, the example from the article generates a 20 character string. My last modified example generates a 24 character string. - Sean On Thu, Feb 4, 2016 at 6:53 AM, Sean Martin <[email protected]<mailto:[email protected]>> wrote: Perhaps I should explain why this particular method works for my use case. We got dinged on an internal audit because we have several hundred AD accounts whose password has not be changed in quite some time. The vast majority of these are shared mailbox accounts that are disabled. I used this method in a script to change the password for all of those disabled accounts every couple of months. In regards to the article, I think I understand your math, but the example I provided generates a 20 character string, not 15, so how does that affect your calculation? - Sean On Wed, Feb 3, 2016 at 7:11 PM, Michael B. Smith <[email protected]<mailto:[email protected]>> wrote: So, I just read the article you mentioned, and I have to tell you, I think he’s (or she’s) incorrect. GetBytes() returns random bytes. That’s 0-255 taking up 8 bits. Ln2(8) = 3. Fifteen characters at 3 bits of entropy each will give you 45 bits of entropy. But then you convert it to Base64. Base64 is limited to 6 bits of information ( [System.Math]::Pow(2, 6) = 64 ). That is by definition where the name of the algorithm comes from! Ln2(6) = 2.58. Significant reduction. He/she also conflates the fact that while a representation of Base64 is generally longer (although not always for small amounts of text) the entropy is controlled by the character set, not the representation. If I remember correctly, the number of printable ASCII characters is actually only 96. Ln2(7) ~= 2.81. But the number is effectively less than that, because 32 of those characters are not used. So Ln2(6.5) ~= 2.70. So the maximum entropy you can obtain with a 15 character password is ~40.5 – assuming that the password is completely random and the available character set allows all 96 characters available. That’s almost 50 years to brute force. But the password will almost certainly be gibberish. Note: There are assumptions in this calculation: [1] I’m assuming online cracking attempts, not on-premises. On-premises cracking attempts can be much much faster, on the order of 50 million attempts a second; [2] Yes, Windows will allow you to enter in non-printable characters for passwords – but very few websites (if any?) will allow this. In fact, most websites have far more strict password guidelines than “15 maximum characters of charset-96”. From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Michael B. Smith Sent: Wednesday, February 3, 2016 10:36 PM To: [email protected]<mailto:[email protected]> Subject: RE: [powershell] Random Password Generator The maximum entropy you get from Base64 is 2.58 bits per character, kinda by definition( ln2( 6 ) ). Given that your maximum length is 15 digits, that limits you to ~38 bits of entropy. At a thousand guesses a second, that’s about 8 years to brute force. Not bad. However, you’ve GIVEN UP over 10 bits of entropy because of four constant characters, taking you to about 28 bits of entropy. Believe it or not, having constants makes a password far far easier to crack. (This is why the revelation of a non-random non-prime in netcat/socat is such a big deal – it makes Diffie-Helman much much simpler to crack.) That’s about 3 days to brute force. That is completely believable for someone to spend the time/energy to crack. (And remember, the 3 days assumes that your password is the last one checked, out of the entire “password universe” – on average, assume half that.) So, the lesson here is that 15 bytes of base64 is fine (if impossible to remember). But don’t use constants. Evah. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Sean Martin Sent: Wednesday, February 3, 2016 3:24 PM To: [email protected]<mailto:[email protected]> Subject: [powershell] Random Password Generator I don't get the opportunity to contribute all that often so I thought I would throw this out there in case it helps anyone. I got the method from this article: https://www.scriptjunkie.us/2013/09/secure-random-password-generation/ I modify the resulting password by prepending/appending a couple of special and numerical characters to ensure it meets complexity requirements in my current environment. Easy way to generate a secure password whenever the need arises. Critiques are always welcome. =================================================================== # Generate Random Password $randombytes = new-object byte[] 15 (new-object System.Security.Cryptography.RNGCryptoServiceProvider).GetBytes($randombytes) $pass = [System.Convert]::ToBase64String($randombytes) $password = "&#" + $pass + "82" Write-Host "" Write-Host "Your password is: " -ForeGroundColor Cyan -NoNewLine Write-Host "$Password" -ForeGroundColor Yellow Write-Host "" Write-Host "" Write-Host "Press enter to exit script..." -ForeGroundColor Cyan $Pause = Read-Host Exit ================================================================== - Sean ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1 ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1 ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1 ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1 ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1 Confidentiality Notice: This is a transmission from Community Hospital of the Monterey Peninsula. This message and any attached documents may be confidential and contain information protected by state and federal medical privacy statutes. They are intended only for the use of the addressee. If you are not the intended recipient, any disclosure, copying, or distribution of this information is strictly prohibited. If you received this transmission in error, please accept our apologies and notify the sender. Thank you. ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1
