The sys admin's daily grind: PWGen

Cryptic Coder


Easy to remember but still safe - this is the classic conflict when it comes to choosing a password. The PWGen tool offers a sensible compromise.

By Charly Kühnast

If you recall, I complained about weak passwords in issue 84 [1]. The Fail2ban tool I talked about prevents disasters, but it really only treats the symptoms. If I choose the timing parameters carefully, Fail2ban will repel brute force attacks, but it stands no chance against password post-its on the keyboard or easily guessed passwords (Figure 1). As is always the case in security technology, the desired degree of protection determined by the admin and convenience, which is what users prefer, are in conflict.

Figure 1: The IPtables blockade against the host at 10.0.0.254 started at 10:52am and ended at 10:57am.

Rotating the passwords every four weeks on top of other security requirements wears on users' patience; plus, you can't expect them to remember stuff like this. So your users write down their passwords and Murphy's Law dictates that they will leave their notes at the worst possible place. The opposite side of the coin is an environment in which the admin lets the users have their way and end up with passwords like tux or top_secret. So what's your next move?

Password Distributor

PWGen [2] offers a compromise: The tool generates passwords with configurable properties. Calling PWGen without any parameters in the shell gives me a list of passwords with lower- and upper-case letters and numbers. pwgen -s -y gives you really robust passwords that might look something like this:

+3HEg,_5
1P.A@=2U
@||{}9Cy

But PWGen can generate simpler passwords without putting security on a level with your neighbor's dog's name. PWGen will not use non-standard characters by default, and the -B parameter suppresses characters that users tend to confuse, such as 1 and l or O and 0. If you make a concession and do without numbers, you can generate passwords that people can pronounce with some imagination. Figure 2 shows a whole list of these passwords, which are a useful compromise between convenience and security - as long as you are protecting non-privileged user accounts and not the crown jewels.

Figure 2: PWGen generates whole lists of passwords, some of which are easy enough for users to memorize.

In theory, you could make this even simpler by telling PWGen not to use upper-case letters, but I wouldn't recommend it. I don't want to make it too easy for my users - after all, mind jogging is good for you.

INFO
[1] "Fail2ban" by Charly Kühnast Linux Pro Magazine, November 2007, pg. 63: http://www.linuxpromagazine.com/issues/2007/84
[2] PWGen: http://sourceforge.net/projects/pwgen/
THE AUTHOR

Charly Kühnast is a Unix System Manager at the data center in Moers, near Germany's famous River Rhine. His tasks include ensuring firewall security and availability and taking care of the DMZ (demilitarized zone).