paste widget "password" generator uses (very) insecure randomness
Bug #1179380 reported by
mik
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kdeplasma-addons (Debian) |
Fix Released
|
Unknown
|
|||
kdeplasma-addons (Ubuntu) |
Fix Released
|
Low
|
Unassigned | ||
Lucid |
Won't Fix
|
Undecided
|
Unassigned | ||
Precise |
Won't Fix
|
Low
|
Unassigned | ||
Quantal |
Won't Fix
|
Low
|
Unassigned | ||
Raring |
Won't Fix
|
Low
|
Unassigned | ||
Saucy |
Fix Released
|
Low
|
Unassigned |
Bug Description
The paste widget offers a way to generate random passwords easily with "password" macros.
Unfortunately:
- It is using an insecure RNG
- It is reseeding the RNG with the current timestamp every time it is called
- There is modulo bias in the selection algorithm
See PasteMacroExpan
People that have been relying on this widget to generate passwords should consider changing all passwords generated with this applet.
information type: | Private Security → Public Security |
Changed in kdeplasma-addons (Ubuntu Lucid): | |
status: | New → Won't Fix |
Changed in kdeplasma-addons (Ubuntu Precise): | |
status: | New → Confirmed |
Changed in kdeplasma-addons (Ubuntu Quantal): | |
status: | New → Confirmed |
Changed in kdeplasma-addons (Ubuntu Raring): | |
status: | New → Confirmed |
Changed in kdeplasma-addons (Ubuntu Saucy): | |
status: | New → Confirmed |
Changed in kdeplasma-addons (Ubuntu Precise): | |
importance: | Undecided → Low |
Changed in kdeplasma-addons (Ubuntu Quantal): | |
importance: | Undecided → Low |
Changed in kdeplasma-addons (Ubuntu Raring): | |
importance: | Undecided → Low |
Changed in kdeplasma-addons (Ubuntu Saucy): | |
importance: | Undecided → Low |
Changed in kdeplasma-addons (Debian): | |
status: | Unknown → New |
Changed in kdeplasma-addons (Ubuntu Precise): | |
status: | Confirmed → In Progress |
Changed in kdeplasma-addons (Ubuntu Quantal): | |
status: | Confirmed → In Progress |
Changed in kdeplasma-addons (Ubuntu Raring): | |
status: | Confirmed → In Progress |
Changed in kdeplasma-addons (Ubuntu Saucy): | |
status: | Confirmed → In Progress |
Changed in kdeplasma-addons (Debian): | |
status: | New → Fix Released |
To post a comment you must log in.
Here's a python script that will generate passwords for use with john. Strength of passwords makes no difference to performance, you simply need to pass it the config string (the arguments to the macro), and the startTime and endTime.
All arguments are optional - by default it starts now and ends a year ago, with the default "Random Password" setting of the applet chosen.
To use this, create a passwd-style file, eg username: encrypted_ password one-per-line. mkpasswd can encrypt it for you (eg. mkpasswd --stdin --hash=md5), then run this command:
touch john.ini
./kdepastebreak.py | john --stdin passwdfile
The <email address hidden> email address hasn't responded to me, but an alert should at-least be sent to users, and a nasty error popup should be displayed to people using it, with an offer to use pwqgen or something instead (part of the passwdqc package).