Generated password has repetition

Jonathan Proulx jon at csail.mit.edu
Thu May 4 19:02:39 CEST 2017


On Thu, May 04, 2017 at 04:28:14PM +0000, Matan Nassau wrote:
:When you reject a random password, you introduce a bias. When you select
:based on your idea of what's random, it's akin to selecting based on
:anything else. It defeats the security purpose of an RNG. So one ought to
:be careful with this.

This is admittedly an unlikely corner and shouldn't arbitrarily reject
things that "don't look random enough". Sorry if it came off sounding
that way. And obviously the longer the password the less likely it
becomes.

But if you are unlucky enough to get a random result that
"looks like something a password guesser is likely to try" it is
likewise foolish to accept it simply becuase it is truely random.



:On Thu, May 4, 2017 at 10:41 Jonathan Proulx <jon at csail.mit.edu> wrote:
:
:> On Thu, May 04, 2017 at 03:16:31PM +0200, Jason A. Donenfeld wrote:
:> :There is a non-zero probability that a RNG will output the complete works
:> :of Shakespeare.
:>
:> and a non zero chance that it will generate "password1234" that
:> doesn't mean accepting that is a good idea though, one also has to
:> consider likely attack strategies.
:>
:> the example given is likely fine, but if you randomly get a password
:> that you think is bad, regeneration is always an option.
:>
:> -Jon
:>
:> :
:> :--
:> :Sent from my telephone.
:> :
:> :On May 4, 2017 13:56, "Matthieu Weber" <mweber at free.fr> wrote:
:> :
:> :On Thu 04.05.2017 at 09:35:24PM +1000, Jens Tröger wrote:
:> :> I know that passwords are generated by pwgen, which is considered a
:> :> strong generator (right?) but today it produced a password with
:> :> consecutive repetitions: #9d:$_r{""yww4{k?}.i'^P}z
:> :
:> :Randomness sometimes generates repetition. If you want to filter out the
:> :passwords with repetitions, you are effectively reducing the number of
:> :possible passwords, therefore making it (slightly) easier to crack.
:> :
:> :> Not sure if this is an issue per se? Can I ignore this in the future?
:> :
:> :I would say it's not an issue, especially with this long a password as
:> :the one above.
:> :
:> :Matthieu
:> :--
:> : (~._.~)        Matthieu Weber - matthieu at weber.fi.eu.org        (~._.~)
:> :  ( ? )                 https://weber.fi.eu.org/                  ( ? )
:> : ()- -()           public key id : 0x85CB340EFCD5E0B3            ()- -()
:> : (_)-(_) "Humor ist, wenn man trotzdem lacht (Otto J. Bierbaum)" (_)-(_)
:> :
:> :_______________________________________________
:> :Password-Store mailing list
:> :Password-Store at lists.zx2c4.com
:> :https://lists.zx2c4.com/mailman/listinfo/password-store
:>
:> :_______________________________________________
:> :Password-Store mailing list
:> :Password-Store at lists.zx2c4.com
:> :https://lists.zx2c4.com/mailman/listinfo/password-store
:>
:>
:> --
:> _______________________________________________
:> Password-Store mailing list
:> Password-Store at lists.zx2c4.com
:> https://lists.zx2c4.com/mailman/listinfo/password-store
:>

-- 


More information about the Password-Store mailing list