pwgen-0.1 - Password Security Analysis
--------------------------------------


0. Program Informations
1. Abstract
2. Code Analysis
3. Conclusion
4. Links



0. Program Informations
-----------------------

Author:                                            Adel I. Mirzazhanov
Version:                                                           0.1
Web:                                                           Unknown


1. Abstract
-----------

   pwgen is a well known program, that can be found at various 
locations on the net. It is written by Adel I. Mirzazhanov (C) 1999,
this information is needed, cause there are other programs with the
same name and function.
   pwgen at version 0.1, the most actual version I could find, 
contains some critical security flaws and generates "insecure" 
passwords.


2. Code Analysis
----------------

   The main security flaw is located in generat.c, the initialization
of the pseudo random number generator is not secure. This makes all
passwords generated with pwgen weak against attacks, that use the same
random number generator and try to guess the seed to generate the same
password.
   The main problem is this function:
   
int gen_random_seed(void)
    {
     return((int)time(NULL));
    }

   An attacker normally knows a more or less exact time of the 
password creation (f.ex excluding some years can save an attacker a 
huge amount of calculations).
   
   A second problem, more a bug, is located in the calculation of a 
seed using a user defined string.
   Lets take a look:

int get_random_seq(void)
    {
     char *user_random_string;
     int seed = 0;

     printf ("\nEnter up to 128 random symbols then press [Enter]\n");
     user_random_string = getpass("Random string:>");
     while( *user_random_string != 0)
         {
	  seed = (int)(seed*((int)*user_random_string));
	  user_random_string++;
	 }
     return(seed);
    }
    
   If you analyse the code you will notice that the seed will always
be zero, cause the initilization sets seed to zero and in the rest
of the calculation is set to the value a multiplication of seed a 
calculated value from the user string. This means seed will always
have the value 0.
   This is used in pwgen.c in combination with gen_random_seed() and
finally results in the weakness of the gen_random_seed() function.

user_defined_seq|gen_random_seed()

   The "or" is a good idea (*), but finally doesnt matter, cause 
user_defined_seq is alway zero (result of get_random_seq) and we know
that 0|gen_random_seed() = gen_random_seed().
   
(*) the or isn't really a good idea, it weakens this stuff just more,
    just remember that an or is not able to turn a 1 into a 0. This
    means that the number will only grow. This means that a 1111 is 
    far more probable than a 0000. If you think that the time as one
    part of the or is normally a very high number, the whole stuff
    turns into an even bigger security flaw.
    But well, thats better than always initializing srand with 0 ;)
    and I don't want to discuss the general problems of the usage of
    srand/rand for password generation here.
   

3. Conclusion
-------------

   If you are using pwgen to generate passwords, it is advisable to
change to another Password Generator like [2] or [3]. This is not
necessary in all cases, because an attacker needs to know, that you
are using pwgen to use this security flaw effectively.
   
   
4. Links
--------
   
[1] http://metalab.unc.edu/pub/linux/system/security/pwgen-0.1.tar.gz
    A download location for pwgen 0.1
[2] http://genpw.sourceforge.net
    Another good password generator
[3] http://sourceforge.net/projects/pwgen
    Just another good password generator
    

Boris Schauerte                     borisscha[AT]users.sourceforge.net