This is not a cryptographically secure password and should *never* be used for a real production system.
Because the VB Rnd function is a Linear Congruential Genererator random number generator, there is significant statistical correlation between characters within the password that would make it very easy to guess. Something like this should not be used in a production system. You need to call into CryptGenRandom to get a cryptographically secure random number. If you can take a dependency on CAPICOM you can do this from VB Script but that is probably harder to do for most installers. --Peter -----Original Message----- From: Joe Osman [mailto:joe.os...@tait.co.nz] Sent: Monday, January 12, 2009 4:51 PM To: General discussion for Windows Installer XMLtoolset. Subject: Re: [WiX-users] Generating random password for created user You can use the following vbscript: Function generatePassword() Dim NUMLOWER, NUMUPPER, LOWERBOUND, UPPERBOUND, LOWERBOUND1, UPPERBOUND1, SYMLOWER, SYMUPPER Dim newPassword, count, pwd Dim pCheckComplex, pCheckComplexUp, pCheckComplexLow, pCheckComplexNum, pCheckComplexSym, pCheckAnswer, PASSWORD_LENGTH PASSWORD_LENGTH = 6 NUMLOWER = 48 ' 48 = 0 NUMUPPER = 57 ' 57 = 9 LOWERBOUND = 65 ' 65 = A UPPERBOUND = 90 ' 90 = Z LOWERBOUND1 = 97 ' 97 = a UPPERBOUND1 = 122 ' 122 = z SYMLOWER = 33 ' 33 = ! SYMUPPER = 46 ' 46 = . pCheckComplexUp = 0 ' used later to check number of character types in password pCheckComplexLow = 0 ' used later to check number of character types in password pCheckComplexNum = 0 ' used later to check number of character types in password pCheckComplexSym = 0 ' used later to check number of character types in password ' initialize the random number generator Randomize() newPassword = "" count = 0 DO UNTIL count = PASSWORD_LENGTH ' generate a num between 2 and 10 ' if num <= 2 create a symbol If Int( ( 10 - 2 + 1 ) * Rnd + 2 ) <= 2 Then pwd = Int( ( SYMUPPER - SYMLOWER + 1 ) * Rnd + SYMLOWER ) ' if num is between 3 and 5 create a lowercase Elseif Int( ( 10 - 2 + 1 ) * Rnd + 2 ) > 2 And Int( ( 10 - 2 + 1 ) * Rnd + 2 ) <= 5 Then pwd = Int( ( UPPERBOUND1 - LOWERBOUND1 + 1 ) * Rnd + LOWERBOUND1 ) ' if num is 6 or 7 generate an uppercase Elseif Int( ( 10 - 2 + 1 ) * Rnd + 2 ) > 5 And Int( ( 10 - 2 + 1 ) * Rnd + 2 ) <= 7 Then pwd = Int( ( UPPERBOUND - LOWERBOUND + 1 ) * Rnd + LOWERBOUND ) Else pwd = Int( ( NUMUPPER - NUMLOWER + 1 ) * Rnd + NUMLOWER ) End If newPassword = newPassword + Chr( pwd ) count = count + 1 'Check to make sure that a proper mix of characters has been created. If not discard the password. If count = (PASSWORD_LENGTH) Then For pCheckComplex = 1 To PASSWORD_LENGTH 'Check for uppercase If Asc(Mid(newPassword,pCheckComplex,1)) >64 And Asc(Mid(newPassword,pCheckComplex,1))< 90 Then pCheckComplexUp = 1 'Check for lowercase ElseIf Asc(Mid(newPassword,pCheckComplex,1)) >96 And Asc(Mid(newPassword,pCheckComplex,1))< 123 Then pCheckComplexLow = 1 'Check for numbers ElseIf Asc(Mid(newPassword,pCheckComplex,1)) >47 And Asc(Mid(newPassword,pCheckComplex,1))< 58 Then pCheckComplexNum = 1 'Check for symbols ElseIf Asc(Mid(newPassword,pCheckComplex,1)) >32 And Asc(Mid(newPassword,pCheckComplex,1))< 47 Then pCheckComplexSym = 1 End If Next 'Add up the number of character sets. We require 3 or 4 for a complex password. pCheckAnswer = pCheckComplexUp+pCheckComplexLow+pCheckComplexNum+pCheckComplexSym If pCheckAnswer < 3 Then newPassword = "" count = 0 End If End If Loop Session.Property("USERPASSWORD") = newPassword End Function In order to create the user in WIX first you need to run the script using a custom action and when you create the user you need to use the generated password: <util:User Id="user1" CreateUser="yes" Name="Test_User" Password="[USERPASSWORD]" LogonAsService="yes" PasswordNeverExpires="yes" UpdateIfExists="yes" FailIfExists="no" /> <InstallExecuteSequence> <Custom Action="CreateUserPassword" After="InstallInitialize">NOT Installed</Custom> </InstallExecuteSequence> <Binary Id="GeneratePassword" SourceFile="GeneratePassword.vbs"/> <CustomAction Id="CreateUserPassword" Return="check" BinaryKey="GeneratePassword" VBScriptCall="generatePassword"/> Kelly Leahy wrote: > Robert, your best bet if you're building a C/C++ custom action is to use > static linking so you don't have any dependencies. > > Kelly > > > > > "Robert Barnes" <robert.bar...@gmail.com> > > 01/05/2009 11:09 PM > Please respond to > "General discussion for Windows Installer XML toolset." > <wix-users@lists.sourceforge.net> > > > To > "General discussion for Windows Installer XML toolset." > <wix-users@lists.sourceforge.net> > cc > > Subject > Re: [WiX-users] Generating random password for created user > > > > > > > 2009/1/3 Peter Oehlert <poehl...@securityinnovation.com>: > >> I'm creating a couple of service accounts with my install to be used as >> > the > >> identity of an IIS App Pool. I'd like to simply create very long >> > securely > >> random passwords (cryptgenrandom or >> > system.security.RandomNumberGenerator). > >> I'm still fairly new to this but I think I need a custom action to set >> > the > >> value to a property on install. Then I'll reference that property during >> both the user creation and iis app pool creation. Is there a custom >> > action > >> out there to already do this or is this something I'll need to do >> > myself? > >> Thanks, >> Peter >> > > I want to do exactly the same thing. Does anyone know of a custom > action implementation in the public domain that I could use? > > Changing the topic slightly - if I was to go and write my own DLL in C > or C++ will I have issues caused by the different versions of the C > Runtime that might be on machines I install onto? > > Regards, > Rob > > ---------------------------------------------------------------------------- -- > _______________________________________________ > WiX-users mailing list > WiX-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > > **************************************************************************** ********** > This communication is intended solely for the addressee and is > confidential. If you are not the intended recipient, any disclosure, > copying, distribution or any action taken or omitted to be taken in > reliance on it, is prohibited and may be unlawful. Unless indicated > to the contrary: it does not constitute professional advice or opinions > upon which reliance may be made by the addressee or any other party, > and it should be considered to be a work in progress. Unless otherwise > noted in this email or its attachments, this communication does not form > a Statement of Actuarial Opinion under American Academy of Actuaries guidelines. > **************************************************************************** ********** > ---------------------------------------------------------------------------- -- > _______________________________________________ > WiX-users mailing list > WiX-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wix-users > > ======================================================================= This email, including any attachments, is only for the intended addressee. It is subject to copyright, is confidential and may be the subject of legal or other privilege, none of which is waived or lost by reason of this transmission. If the receiver is not the intended addressee, please accept our apologies, notify us by return, delete all copies and perform no other act on the email. Unfortunately, we cannot warrant that the email has not been altered or corrupted during transmission. ======================================================================= ---------------------------------------------------------------------------- -- This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
