Fun at the expense of password generators
These are some scripts that try to find passwords generated by some 'random' password generators.
They can be used with 'john --stdin' - useful for auditing your password files for passwords which are inadvertantly insecure.
If you're the author of a random password generator, it is important to realise that you're creating a security tool - in fact one of the best and most successful classes of security tools.
As such, it's important to make sure you do this properly - people who are using your tool are people who have gone to extra effort to provide for their own security, and if you do this incorrectly you have really let them down.
Some simple things you should look out for:
-
Bias - All possible passwords should have an equal probability. Try graphing the output of your tool (over a million trials) and see if any characters are more likely than others.
-
Insecure entropy source - If you're using srand() or similar, there are only 2^31 (around 2 billion) possible inputs - even if you're seeding it with secure entropy, that's still very plausible for an offline attack.
-
Make sure you can describe the strength of your generated passwords! Document this clearly, or make the strength explicit in how the user interacts with the generator. See pwgen phonemes for an example of a password generator that ignores this rule.