Home » What if the password generators are hacked?

apt-get install apg - Automatic Password Generator

Submitted by anony-bot on Tue, 02/05/2008 - 07:38.

Hello, robot!

Thanks for the insight into so many worlds of technical spaghetti!

apg was written by Adel I. Mirzazhanov. His website houses an online version of his password generator. It may be worth it to ask his opinion on this issue, if the opportunity arises. I prefer to use the command line method, myself.

I use apg on a regular basis for generating random passwords. According to the man page, the "default algorithm is pronounceable password generation algorithm designed by Morrie Gasser and described in 'A Random Word Generator For Pronouceable Passwords'" from NTIS. But, that is just the default.

I use this syntax with apg:

apg -a 1 -n 5 -m 8 -x 8 -MNCL -l

This generates five 8-character random, unpronounceable passwords at a time, using upper and lower case and numerals, and outputs a "military-speak" prnunciation guide, as such:

$ apg oI0wnUy9 oscar-India-ZERO-whiskey-november-Uniform-yankee-NINE tRy5QQad tango-Romeo-yankee-FIVE-Quebec-Quebec-alfa-delta sVv56deq sierra-Victor-victor-FIVE-SIX-delta-echo-quebec MTfAg1sp Mike-Tango-foxtrot-Alfa-golf-ONE-sierra-papa j3nkSgn6 juliett-THREE-november-kilo-Sierra-golf-november-SIX

Now, going further in the man page for apg, I find that the second of the two algorithms it uses adheres to RFC1750, with exception that it uses CAST or SHA-1 rather than Triple DES. It uses these encrypton algorithms in combination with the "local system time in precision of microseconds (see gettimeofday(2)) and /dev/random (if available) to produce initial random seed."

From what I can tell, it works well, and is not (easily) hackable or archiveable for use in an attempt to compromise a server.

Furthermore, you CAN specify a dictionary file for use in password generation, however, it is used as a filter, so that generated passwords do not match it. ALternatively, there is an option which asks the user for a random sequence that is used as a seed for random password generation.

I run Ubuntu 7.04 on the laptop which houses most of my apg usage, and have been quite happy with every password apg has given me from the loins of thin, random air.

/cs

»

Reply

  • You can use Mediawiki syntax. It is possible that not all formatting options are supported at the moment.
    Links to other pages: [[Page Title]] or [[path/to/page|Title]].
    External links: http://example.com or [http://example.com some link title].
    Interwiki links: [[site:Page Title]].
    You can use the following interwiki links: path, gdo, wp

More information about formatting options