package: lwat severity: wishlist version: 0.16-1 Hi,
Nico Gold recently did a code review of lwat and found no real problems,
cheers! (And thanks, Nico.)
The only problematic thing he found was the password creation function which
creates very simple passwords. On purpose, I guess :-)
Still it would be nice, if there would be a configuration option to also be
able to use "pwgen -s 12 1" :-)
regards,
Holger
---------- Forwarded Message ----------
Subject: insecure pwgen function in lwat
Date: Wednesday 05 December 2007 22:27
From: Nico Golde <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Hi,
during reading of the lwat source code I stumbled over the
following function:
function pwgen(){
$pw = '';
$c = 'bcdfghjkmnprstvwzBCDFGHJKLMNPQRSTVW'; //consonants except hard to
speak ones $v = 'aeiouAEU'; //vowels
$a = $c.$v; //both
//use two syllables...
for($i=0;$i < 2; $i++){
$pw .= $c[rand(0, strlen($c)-1)];
$pw .= $v[rand(0, strlen($v)-1)];
$pw .= $a[rand(0, strlen($a)-1)];
}
//... and add a nice number
$pw .= rand(10,99);
return $pw;
}
This does give us pretty much of information of how the passwords will look
like. Passwords are 8 characters long
1st and 4th character are from bcdfghjkmnprstvwzBCDFGHJKLMNPQRSTVW
2nd and 5th character are from aeiouAEU
3rd and 6th character are from bcdfghjkmnprstvwzBCDFGHJKLMNPQRSTVWaeiouAEU
7st character is between 1 and 9
8st character is between 0 and 9.
I am too lazy to calculate how much possibilities this will have but its
really pretty well brute-forceable in my opinion and should not be
considered to be secure.
I guess this algorithm is intended to create passwords that
a human can remember? :)
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------------------------------------------------
pgphYpQhJzejI.pgp
Description: PGP signature
