- About Us
I agree that "-s 0" leads to a smaller set of characters, and therefore weaker passwords. But dangerously poor? With -s0 you get passwords that are 9 characters long and each character has 26+26+10=62 possibilities. That works out to some 13*10^18 possible strings. If I run the shell commands like you suggested, I find that on a similar size of ~100,000 generated passwords, the sort/uniq tells me there are NO duplicates at all- I don't know how you came up with "only" 4095 unique values.
Maybe its the DES algorithm. Of course, nobody uses that - passwords have been hashed using md5 for many years now. The md5 hash you can see in /etc/shadow are much longer than the 9 character password. I would not expect any collisions in this process. If there are any, then md5 is a lousy algorithm. (Okay, it has been shown that md5 can be factored, and SHA is better, but this is still far from everyday hackable).
Am I missing something? For sure, using -s0 leads to weaker passwords, but consider the hassle: how many of your lusers can distinguish ' from `, or locate the ^ symbol on their keyboards. For me, having users complain that their "password does not work" on a regular basis is a big pain, and if it ends up in me resetting those "wacky" passwords to "regular" ones, then we might have well just used -s0 in the first place.
Return to Automated user management with Expect