Here is my new password generation script. The attachment, swordfish.txt, is in dos format. Remember that you need to use dos2unix or flip or something to get it into unix format.
The script is self documenting. It has an extensive help system built-in. And you can run:
swordfish "set LineLength=75" "help user_guide"
to get a complete user guide.
Here is a sample run to show some of the features:
$ ./swordfish
>>}###@>---- format +s +x 10
password statistics are on
password expansions are on
10 passwords will be generated per template
>>}###@>---- CvccEnnn
Template EEEEEEEE has 2,992,179,271,065,856 possibilities
Template CvccEnnn has 3,982,230,000 possibilities
YisdG633 YANKEE india sierra delta GOLF six three three
DehtK503 DELTA echo hotel tango KILO five zero three
Hickt465 HOTEL india charlie kilo tango four six five
SeydP384 SIERRA echo yankee delta PAPA three eight four
Fakt0554 FOXTROT alpha kilo tango zero five five four
FexrS395 FOXTROT echo x-ray romeo SIERRA three nine five
Bamwv220 BRAVO alpha mike whiskey victor two two zero
XumtF501 X-RAY uniform mike tango FOXTROT five zero one
HilbS790 HOTEL india lima bravo SIERRA seven nine zero
Xijsw021 X-RAY india juliet sierra whiskey zero two one
>>}###@>----
I can generate random hexadecimal numbers. Password generators are very close to being random number generators. So it is fair to ask a password generator to pass tests intended for a random number generator. I did this:
$ ./swordfish "define X=(n{ABCDEF})" "format 1000000" "X<80>" > hex.txt
This command took 13711 seconds.
$
At that point I had one million lines of hexadecimal numbers, each 80 characters in length. This is exactly the input format needed by the asc2bin program of the diehard test suite. I ran diehard on the data file, selecting all 15 tests. The data passes all 15 tests. The results are attached.
need help. when i tried running the sworfish from the same folder that it is residing i could get the passwords working perfectly fine. However, when i tried running it from a different path by giving the absolute path i get the below mentioned warning message. i also tried running it through the shell scripts i tried a cd to the folder and then launched using the command ./swordfish.txt some times this works and some times it fails can some one help me understand why is it failing some times?
I will post a new copy of swordfish making these changes:
In the weak_start_tigershark function: the line in green is new.
function weak_start_tigershark
{
typeset -i i final duration
((final=SECONDS+2))
while((SECONDS < final)) ; do
i=$RANDOM
done
((Carry=0))
((X0=$$))
((X1=RANDOM))
((X2=RANDOM))
((X3=RANDOM))
((DEBUG)) && echo weakstart X3=$X3 X2=$X2 X1=$X1 X0=$X0 Carry=$Carry
Sum=0
((Stigershark=Stigershark+1))
return 0
}
In the Main section: The lines in red go away:
if [[ $Entropy = $ZeroEntropy ]] ; then
echo "********************************" >&2
echo "* *" >&2
echo "* Warning: Entropy is zero! *" >&2
echo "* *" >&2
echo "********************************" >&2
echo generating weak entropy... >&2
weak_start_tigershark
status_tigershark
entropy_generator 1 array
echo Entropy = ${Entropy}
NeedMoreEntropy=1
fi
It is too early in the program to call status_tigershark since linecount has not be initialized and also it is sending unsolicted output to stdout. And that "echo Entropy" should have been directed to stderr as well. The remaining error message should be enough to call attention to the fact that swordfish is not operating in an optimum manner. And the user can always turn on debug mode for more output.
Yes, my intent is that swordfish be invoked always in the same directory. swordfish maintains an entropy file which is random data used to initialize the internal random number generator. But the first time the random number generator is called, there won't be an entropy file. So swordfish will initialize the RNG from /dev/urandom or /dev/random. If neither of those is available then swordfish is stuck with no decent source of initial random numbers. So it invokes the internal ksh RANDOM routine to get a few random numbers and it uses its current PID for one more random number. It first spends a couple of seconds burning off some of KSH's random numbers so it is not as bad as it might otherwise be. But it still complains about the situation. This is what is happening to you. Even HP-UX finally implemented /dev/random in 11.23. What OS are you using without a /dev/random?
If you really want to call swordfish from arbitrary directories, you could change the line:
ENTROPYFILE=swordfish.ent
to be an obsolute path to your entropy file. But remember, if other people can read your entropy file, they might be able to predict the passwords it
will generate.
I use your tool on Solaris 10, only i get this error.
[machine:user]$ ./swordfish
>>}###@>---- format +s +x 10
./swordfish[39]: !X0 && !X1 && !X2 && !X3 && !X4 && !Carry : bad number
password statistics are on
password expansions are on
10 passwords will be generated per template
Opps! Sorry ArcAngel, I had not noticed your report before. Better late than never I guess. :o There is no X4, it only goes up to X3. The fix was to remove "!X4 && " from that line. Actually, it's odd that the script ran everywhere else.
I have recently been ordered to use 12 character randomly generated passwords that meet strong complexity requirements. That is why I have dusted off this old script. I need it badly right now. Ironically, I want to to run on Solaris just like ArcAngel. I also tested it on RedHat and it broke on the latest ksh. I had to change my character slicing technique to get it work. I used to do stuff like this:
first=${x%${x#?}}
to get the first character. That breaks depening on the contents of the field. That had always been the case but it breaks more easily with today's ksh. I switched to
first=$x
while ((${#first} > 1 )) ; do
first=${first%?}
done
which works all the time and it much faster than it looks. I upgraded the help system a little, corrected spelling errors, etc. I had to reverse engineer my own code so I upgraded the comments quite a bit as well. It saved me from needed to memorize a string of garbage from a lesser password generator. I hope others can use it as well.
If I could make a quick feature request - to be able to copy a password to the clipboard (pref. plain X11) instead of outputing otherwise (I've had a quick look for a way to do this to no avail). Also a util to securely erase a file a password was output to would be complimentary.
This was an interesting article, The Usability of Passwords. It appears a short phrase of (near) normal English is as secure as 8 or so mixed symbols/chars.
Myself I'm still trying to figure how I'm getting incidents of MITM style data injection over a SSL vpn to a https webpage! (I can't do any more to make the physical machine itself more secure either - so I am assuming this is not the problem, and I'm not running any dodgy software otherwise.)
okhawaja, I can't do much with a bug report like that.
GSO, I am revising the script right now but I don't plan to do anything like that. If you're running it in a decent window environment, you should have cut and paste. Even if I wanted to implement your request, puttting a feature like that in a script seems daunting and would certainly undermine the portability. I hope that swordfish will work with any version of ksh even on an old ascii terminal. Sorry.
