Re: password in recovery.conf [SOLVED]

[Gavin Flower <GavinFlower@xxxxxxxxxxxxxxxxx>]

On 27/09/14 11:56, John R Pierce wrote:

On 9/26/2014 4:40 PM, John R Pierce wrote:

I'd consider using `mkpasswd -l 15 -s 0`  just to avoid any such problems.   15 random alphanumerics is already plenty complex, 62^15th possible combinations, without needing to mix in special characters.

$ mkpasswd -l 15 -s 0
eec1kj7ZsthlYmh

btw, thats 768,909,700,000,000,000,000,000,000 possible passwords. 768 septillion, using the aamerican 'short scale' naming convention.  if you could brute force try 10000/second, it would merely take 24,365,800,000,000 centuries (24 trillion).

So do you think a password like Nxw7TnC2^}%(}tEz is strong enough?  :-)

I developed a Java program that generates 20 passwords (each of 16 characters) at a time, I've attached it for anyone who might be interested.  I have put it under the GPL version 3, but I might consider releasing under other licences.


Cheers,
Gavin

package gcf.misc;

/**
 * Copyright © 2012 Gavin C. Flower
 * 
 * author: gavin.flower@xxxxxxxxxxxxxxxxx
 * 
 * This program is free software: you can redistribute it and/or modify it under
 * the terms of the GNU General Public License as published by the Free Software
 * Foundation, either version 3 of the License, or (at your option) any later
 * version.
 * 
 * This program is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
 * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
 * details.
 * 
 * For full details of the license see <http://www.gnu.org/licenses/>.
 */

import java.security.SecureRandom;

public class AppPasswordGenerator
{
    private final static int PASSWORD_LENGTH = 16;

    private final static int MAX_INDEX = PASSWORD_LENGTH - 1;

    /*
     * We avoid ambiguous characters, so you won't get 'I1|l', 'B8', 'S5', or
     * 'O0' being produced
     */

    private static String DIGITS = "23456789";

    private static String SPECIAL = "!@#$%^&*()_+{}[]<>.:";

    private static String UPPER = "ACDEFGHJKLMNPQRTVWXY";

    private static String LOWER = "abcdefghijklmnopqrstuvwxyz";

    private static String FULL = DIGITS + SPECIAL + UPPER + LOWER;

    private final StringBuilder SB = new StringBuilder(PASSWORD_LENGTH);

    SecureRandom secureRandom = new SecureRandom();

    AppPasswordGenerator()
    {
        /*
         * This is way more complicated than it needs to be for the current
         * application, but it was fun coding it!
         * 
         * The use of sin() & exp() introduce a semirandom delay in obtaining
         * the current time in nano seconds as well as returning values to act
         * as additional randomising factors.
         */
        long nanoA = System.nanoTime();
        double sinVal = Math.sin(nanoA);
        long nanoB = System.nanoTime();
        double expVal = Math.exp(sinVal);
        long nanoC = System.nanoTime();
        int shift = (int) nanoB & 0x3F;
        long rotation = Long.rotateRight(nanoC, shift);
        long rawBits = Double.doubleToRawLongBits(expVal);
        long seed = rotation ^ rawBits;
        secureRandom.setSeed(seed);

// System.out.printf("        nanoA: %016X\n", nanoA);
// System.out.printf("       sinVal: %16.13f\n", sinVal);
// System.out.printf("        nanoB: %016X\n", nanoB);
// System.out.printf("       expVal: %16.13f\n", expVal);
// System.out.printf("        nanoC: %016X\n", nanoC);
// System.out.printf("        shift: %16d\n", shift);
// System.out.printf("      rawBits: %016X\n", rawBits);
// System.out.printf("     rotation: %016X\n", rotation);
// System.out.printf("         seed: %016X\n", seed);
// System.out.printf("FULL.length(): %16d\n", FULL.length());
    }

    public static void main(String[] args)
    {
        AppPasswordGenerator appPasswordGenerator = new AppPasswordGenerator();
        appPasswordGenerator.go();
    }

    private void go()
    {
        assert PASSWORD_LENGTH > 5; // Actually, later code assume 16...

        for (int i = 0; i < 20; i++)
        {
            printAPassword();
        }
    }

    private void printAPassword()
    {
        addChar(DIGITS);
        addChar(DIGITS);
        addChar(SPECIAL);
        addChar(UPPER);
        addChar(LOWER);

        for (int ii = SB.length(); ii < PASSWORD_LENGTH; ii++)
        {
            addChar(FULL);
        }

        // Randomise password characters
        for (int index_a = 0; index_a < PASSWORD_LENGTH; index_a++)
        {
            char ca = SB.charAt(index_a);
            int index_b = secureRandom.nextInt(PASSWORD_LENGTH);
            char cb = SB.charAt(index_b);
            SB.setCharAt(index_b, ca);
            SB.setCharAt(index_a, cb);
        }

        // Ensure the last character is not a digit
        while (Character.isDigit(SB.charAt(MAX_INDEX)))
        {
            int index = secureRandom.nextInt(MAX_INDEX);
            char ca = SB.charAt(MAX_INDEX);
            char cb = SB.charAt(index);
            SB.setCharAt(index, ca);
            SB.setCharAt(MAX_INDEX, cb);
        }

        String pw1 = SB.substring(0, 4);
        String pw2 = SB.substring(4, 8);
        String pw3 = SB.substring(8, 12);
        String pw4 = SB.substring(12, 16);
        System.out.printf("%s  %s  %s  %s\n\n", pw1, pw2, pw3, pw4);

        SB.setLength(0);
    }

    private void addChar(String pCharacters)
    {
        int index = secureRandom.nextInt(pCharacters.length());
        char c = pCharacters.charAt(index);
        SB.append(c);
    }
}

-- 
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general