Hack 32 Automate Memorable Password Generation

figs/expert.gif figs/hack32.gif

Make it easier for your users to choose good passwords.

It doesn't matter whether you're an administrator responsible for enforcing a password policy or an end user trying to comply with said policy. You're struggling against human nature when you ask users to choose and remember hard-to-guess passwords. Passwords that aren't random are easy to guess, and passwords that are too random tend to manifest themselves on sticky notes under users' keyboards or in their top drawers.

Wouldn't it be great if you could somehow offer users random but memorable password choices? There's a standard designed for just this purpose: APG, the Automated Password Generator.

3.10.1 Installing and Using apg

If you're running FreeBSD, you can install apg from the ports collection:

# cd /usr/ports/security/apg # make install clean

Once the port is installed, any user can run apg to generate a list of random, but pronounceable and memorable, passwords:

% apg -q -m 10 -x 10 -M NC -n 10 plerOcGot5 (pler-Oc-Got-FIVE) fobEbpigh6 (fob-Eb-pigh-SIX) Ekjigyerj7 (Ek-jig-yerj-SEVEN) CaujIvOwk8 (Cauj-Iv-Owk-EIGHT) yenViapag0 (yen-Viap-ag-ZERO) Fiwioshev3 (Fi-wi-osh-ev-THREE) Twomitvac4 (Twom-it-vac-FOUR) varbidCyd2 (varb-id-Cyd-TWO) KlepezHap0 (Klep-ez-Hap-ZERO) Naccudhav8 (Nac-cud-hav-EIGHT)

Notice that each password comes with a pronunciation guide, since it's easier to remember something you can pronounce.

Also, note that syntax. We're definitely going to have to do something about all of those switches! But first, let's take a look at Section 3.2 and make sure we understand them.

Table 3-2. apg switches




Suppresses warnings (think quiet), which will be useful when we write a script

-m 10

Sets the minimum password length to 10 characters

-x 10

Sets the maximum password length to 10 characters


Requires numerals and capitals

-n 10

Generates 10 password choices

While this utility is very handy, we can definitely hack in our own improvements. For starters, users aren't going to use a utility that requires a line's worth of switches. Second, we don't want to install this utility on every system in our network. Instead, let's work out a CGI script. That way users can access the script from their web browsers.

3.10.2 Improving apg

First, let's sort out all of the switches we'll use in the script. We need something to add a punctuation character in the middle, or we won't meet Air Force password regulations. The simplest fix is to run apg twice with smaller password requirements, concatenating the results. The first run, without punctuation characters, looks like this:

% apg -q -m 4 -x 4 -M NC -E Ol -n 10 Dij6 (Dij-SIX) Voj6 (Voj-SIX) Pam0 (Pam-ZERO) Dev9 (Dev-NINE) Non6 (Non-SIX) Eyd7 (Eyd-SEVEN) Vig9 (Vig-NINE) Not8 (Not-EIGHT) Nog2 (Nog-TWO) Von9 (Von-NINE)

Here I've reduced the minimum and maximum password length to four characters. I've also added the option -E Ol to exclude capital "oh" and small "ell" from passwords, because they're easily confused with the digits zero and one.

The second run includes the -S option, which makes the password generator use special characters:

% apg -q -m 4 -x 4 -M S -E Ol -n 10 orc) (orc-RIGHT_PARENTHESIS) tof| (tof-VERTICAL_BAR) fed^ (fed-CIRCUMFLEX) gos@ (gos-AT_SIGN) sig& (sig-AMPERSAND) eif) (eif-RIGHT_PARENTHESIS) eds{ (eds-LEFT_BRACE) lek> (lek-GREATER_THAN) tij: (tij-COLON) rot] (rot-RIGHT_BRACKET)

Now for a CGI script to paste the results together. I've numbered each line of the script for explanation purposes. Don't include line numbers when you create your own script.

This script is written in the Korn shell, but can be modified for any shell. To run as is, install the Korn shell from /usr/ports/shells/ksh93.

1  #!/bin/ksh 2  # run apg twice, concatenate results. 3  # exclude most special characters requiring shift key, 4  # capital "oh" (looks like zero), 5  # lowercase "ell" (looks like digit "one") 6  PATH=/bin:/usr/bin:/usr/local/bin; export PATH 7  umask 077 8  a=/tmp/apg.$RANDOM 9  b=/tmp/apg.$RANDOM 10  cat << EOF 11  Content-type: text/html 12  <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"> 13  <html> 14    <head> 15      <title>Help generating a new password</title> 16    </head> 17    <body> 18      <h3>Help generating a new password</h3> 19      <blockquote> 20        These passwords should be reasonably safe. 21        Feel free to use one, or reload the page 22        for a new batch.</p> 23        <blockquote> <pre> <font size="+1"> 24  EOF 25  apg -q -m 4 -x 4 -M NC -E '!@#$%^&*( )\\' -n 10 > $a 26  apg -q -m 4 -x 4 -M S  -E '!@#$%^&*( )\\' -n 10 > $b 27  # tr command is for bug workaround; apg is not supposed to 28  # include characters specified after -E option. 29  paste $a $b | 30      tr 'l' 'L' | 31      awk ' 32        BEGIN { 33          printf "Password\tRough guess at pronunciation\n<hr />" 34        } 35        { 36          printf "%s%s\t%s %s\n", $1, $3, $2, $4 37        }' 38  cat << EOF 39        </font> 40        </pre> 41        </blockquote> 42      </blockquote> 43      <hr /> 44    </body> 45  </html> 46  EOF 47  rm $a $b 48  exit 0

3.10.3 Script Walkthrough

Line 6 sets the PATH to a known safe value. This lessens the possibility that an attacker can cause this program to execute a hazardous binary. Make sure apg is in this path.

Line 7 sets the umask so that only this user can read the temporary files to be generated later.

Lines 8 and 9 work because Korn shell scripts generate random numbers automatically. If /bin/ksh is not on your system, use mktemp to generate temporary files safely.

Lines 10-24 print the page header. I usually make a sample page and then run it through /usr/ports/www/tidy to get a decent DOCTYPE header and indentation.

Lines 25 and 26 issue apg commands to generate two separate files containing four-character passwords.

Lines 31-37 use an awk script to print the password plus its pronunciation. The BEGIN section prints only once, before any lines are read. The printf section expects lines with four fields: two pairs of password and pronunciation strings from the temporary files. The first and third fields are printed together to form the password, and the second and fourth fields are printed together to form the pronunciation guess.

Lines 38-46 finish the page.

Lines 47 and 48 clean up the temporary files.

3.10.4 See Also

  • man apg

  • man mktemp

  • The APG web site (http://www.adel.nursat.kz/apg/)

  • FIPS 181, the APG Standard (http://www.itl.nist.gov/fipspubs/fip181.htm)

BSD Hacks
BSD Hacks
ISBN: 0596006799
EAN: 2147483647
Year: 2006
Pages: 160
Authors: Lavigne

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net