Package: makepasswd Version: 1.10-5 Severity: normal makepasswd has the following command line arguments: --minchars and --maxchars. They allow generating passwords of length from minchars to maxchars. Default settings is to generate passwords of length from 8 to 10 characters.
The problem is algorithm makepasswd uses to select length of password it generates. It chooses length of password with equal probability. So for example if --minchars=1 and --maxchars==10 then with probability 1/10 an absolutely insecure password of length 1 will be generated. For real world examples (default --minchars=8, --maxchars=10) the problem is not so killing but exists also because default probability of a 10-character password is 1/3/62^10 ~=~ 4e-19 but probability of an 8-character password is much greater 1/3/62^8 ~=~ 1.5e-15. I suggest to choose length of generating password not with equal probability but according to amount of passwords of given possible length. For example for --minchars=8 and --maxchars=10 amount of passwords of length 8 is 62^8, of length 9 is 62^9 and of length 10 is 62^10. So ideally probability of length 8 should be 62^8/(62^8+62^9+62^10) ~=~ 0.00026, probability of length 9 should be 62^9/(62^8+62^9+62^10) ~=~ 0.016 and probability of length 10 should be 62^10/(62^8+62^9+62^10) ~=~ 0.98. It is also clearly seen that there is no reason to specify range of password lengths because the absolute majority of passwords come from the maximal length. So I suggest to set default --minchars and --maxchars to the same value - for example 10. -- System Information: Debian Release: squeeze/sid APT prefers stable APT policy: (900, 'stable'), (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-xen-686 (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages makepasswd depends on: ii libcrypt-openssl-random-perl 0.04-1+b1 Access to the OpenSSL pseudo-rando ii libcrypt-passwdmd5-perl 1.3-9 interoperable MD5-based crypt() fo ii perl 5.10.1-8 Larry Wall's Practical Extraction makepasswd recommends no packages. makepasswd suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
