[Mac_crypto] PassGen2 Password Generator Applet

[Arnold G. Reinhold]

PassGen is a simple Java applet for generating random passwords that I
posted to the Internet in 1996. PassGen collects randomness by
measuring keystroke timing as the user entered characters at random.
An updated version of this open source utility, PassGen 2.0
(http://world.std.com/~reinhold/passgen.html), is now available. It is
provided under the GNU General Purpose License and includes the
following enhancements:

1. Additional templates.
PassGen can now provide 8-character passwords using the entire
95-character ASCII-7 printable character set. (Select the "MMMMMMMM"
template.) This is important because many Unix systems in use, including OS-X,
  limit passwords to 8 characters, do not protect the encrypted passwords and
use only 12 bits of salt. With the dramatic decrease in the cost per
gigabyte of computer disk drives, it is now feasible for an
organization with moderate resources to mount a full dictionary attack
on passwords shorter than 8 characters or which use significantly less
than the full set of 95 characters. If security is at all a concern, 
only fully random 8-character passwords should be used for OS-X 
administrative accounts and for root, if it is enabled.

2. Stronger random number generation.
The earlier version of PassGen used an entropy distiller with 64 bit
internal state, based on a linear congruential algorithm. PassGen 2
uses an entropy distiller based on the Arcfour (RC4) cipher.

3. More conservative estimate of input entropy.
The earlier versions of PassGen generated one character of output for
every input keystroke. PassGen2 collects 25 keystrokes before the
first password character is emitted and then requires three keystrokes
for each additional output character.

Note that there are a number of free password generators available on
the Internet that do not provide source code, do not explain what they
use as a source of randomness or use one of the built-in "random"
number generators that come many computer languages. Such programs
should be avoided or used with caution.

Technical Details  (not needed to use the program)

As in Arcfour, PassGen2 uses a 256-byte state vector S that is
initialized to be a null permutation. As entropy is collected, S is
permuted according to the Arcfour key setup algorithm. Before each
password output character is emitted, the i and j registers are reset
and S is subjected to 10 full mixing passes. This is exactly
equivalent to running the Arcfour cipher generation algorithm on S and
discarding the first 2560 output characters.

When using an 8-bit value to select a character from an alphabet of
length k, there is a risk of bias if k does not evenly divide 256. To
eliminate this, candidate cipher output bytes are discarded if they
are greater than or equal to the largest multiple of k less than 256.

Published analyses (e.g.
http://www.mindspring.com/~dmcgrew/rc4-03.pdf) have shown that Arcfour
deviates slightly from perfect randomness. But the deviations measured
are far too small to compromise the generation of a few passwords. The
extensive additional mixing PassGen2 performs before each password
character is output should eliminate even that bias. Using Arcfour has
several advantages. The state space is large, 1684 bits. The algorithm
has been widely studied. It is simple to implement and easy to verify.
The last consideration is important for anyone contemplating using a
utility downloaded over the Internet. For additional protection I have
signed the source code using PGP. People desiring even greater
assurance can use the dice based password generation techniques
described at http://www.diceware.com .


Arnold Reinhold