How do you spell "PSK"?
In my line of work, there is a lot of uses for a random sting of text. Things like:
- VPN Preshared Keys
- RADIUS or TACACS "shared secrets"
- Windows Service Account Passwords
- Administrative accounts (Windows local or domain Administrator, in some cases root in *nix)
You get the picture. Strings that you need to key once, or once per instance. In most cases, these are strings that after creation, you don't neccesarily need to know what they are, you just need to know how to change them.
With this list of parameters, you'd think that folks would use random characters for these functions right - at least do the random keyboard walk for it? In my experience, this is almost NEVER the case. People try spell things - "l3tm31n", D0ntg0th3r3" and the like. They'll use their Company name, or the street address of their organization, or some other "meaningful" string. And after using "leet-speak" passwords, they then carefully record the password and save it to a text file, usually on the server that's using the password. As a pentester, this is a win for me, I don't even need to crack the password, you just gave it away! As a system administrator, this horrifies me!
So, what to do? In the past, I've used an excel spreadsheet to generate a random string of "n" characters, selected from a set of characters that do not include the "confusing" ones (Oo01lIiL and so on). The "randomness" was defined by how long I felt like leaning on the F9 key that day. After creating the string, I would then try to get my client to NOT write down the string - this almost never works, but it's worth a try.
For today's story, I decided to improve on this a bit, and re-coded it in python. This was a 5 minute script (as most of mine are), so if you see a way to improve or neaten this up in any way, please - don't be shy - use our comment form.
========================================= psk.py =========================================
from random import randint
import sys
if not (len(sys.argv) == 2): # verify syntax
print "Syntax PSK LENGTH_OF_PSK"
exit()
rndstrlen = int(sys.argv[1]) # how long is the output string?
outstring=""
chars = "abcedfghjkmnpqrstuvwxyzABCDEFGHJKMNPQRSTUVWXYZ23456789" # define the list of valid characters
charlist = list(chars) # change it to a list for lookups
numchars = len(charlist) -1 # get length of string list, -1 for start from zero
for i in range (0, rndstrlen):
c = charlist[randint(0,numchars)] # pick a random char from the list
outstring += c # append it to outstring
print outstring
==========================================================================================
Running this as "python psk 15" will create a 15 character pseudo-random string:
C:\> python psk.py 15
xnHDCcRGetuswhf
C:\> python psk.py 15
bvDJhrtRC4QMmks
C:\> python psk.py 15
nWChNxBPMVZbaDb
C:\> python psk.py 15
UXbcSm9Bk9RHTWc
C:\> python psk.py 15
uVs34MZuta9PFTk
You can change the values that are permitted to be in the string (to exclude lower case values, or to add special characters) by adding or removing characters in the "chars" string. Changing the length of the string is as simple as changing the value in the command line option:
C:> python psk.py 32
pPPhe6Pn9RbGN3gr6UZZfqZYt4ajSfjg
C:> python psk.py 64
xsk9rNaX77UtSNfCGVVgWeEm9xS7mgMwcbx4FaquPz9cpMJFqRC5YYrf5Wyp8mp7
And please, in most cases there is NO reason to write down this password. Your "windows service password for whichever service" for instance should be changed periodically, but in most cases there is no reason that you should know what it is, you just need to be able to change it.
Also, if you use this to create a random pre-shared-key for your ste-to-site VPN, emailing it in cleartext is what we call "a bad idea". Not only is it open for theft as it transits the internet (and both internal networks), it's also stored (likely forever) in your sent mail and in the recipients inbox, and likely in the Exchange Server message store - the whole cleartext data at rest / cleartext data in transit concept should ring a bell, especially if you've been audited for PCI lately.
As always, in these days when brute-forcing is simple, quick and cheap, bigger is in fact better. For pre-shared keys or "write only" passwords, I generally start at 32 characters and go up from there. Since you never need to re-key the thing, after it's generated you can cut/paste it and forget it.
I hope that you find this simple bit of code useful. If you've got a simpler way of getting to the same results, or if you can improve on my quick-and-dirty python, please post to the comment field below!
===============
Rob VandenBrink
Metafore
Comments
gpg --gen-random 1 21 | gpg --enarmor | sed -n 5p
Anonymous
Sep 23rd 2013
1 decade ago
Function Get-NewPassword([int]$lengthOfPassword=30,[int]$numberOfNonAlphanumericCharacters=7){
[Reflection.Assembly]::LoadWithPartialName("System.Web") | Out-Null
[System.Web.Security.Membership]::GeneratePassword($lengthOfPassword,$numberOfNonAlphanumericCharacters)
}
Anonymous
Sep 23rd 2013
1 decade ago
However, if you've ever had to re-key one of these off of a printed copy, copy it off of the screen or even worse, include it in documentation (I know, a REALLY bad idea, but it happens), you'll want to avoid zero's, the letter "O", the number 1 and the letters "I" and "l". I find that a list of permitted characters does the trick for me
Anonymous
Sep 23rd 2013
1 decade ago
to generate a nasty 32 character root password:
apg -a 1 -m 32
/?@q@a;K"_9z46tezcPAF}~Y)QZ0FeD@
7>?UhMB{,bp4rdh%,bHh7l8`V6@+e4k9
bNc^1C?"v*`g6I504]hgU#aop%G|66%Z
(FF^%PnD3h\.2HQ{uJb>k/&N,&&j&QnH
i@Cw![19oX7t~4;;2g>>SgF(uG_il_dl
_5IJ9`Mg2(uaWUux_YHDK{M\*[K]02Uu
to generate a user pronounceable password that meets a typical password complexity policy:
apg -m 8 -t -M SNCL
Mit)Huoth3 (Mit-RIGHT_PARENTHESIS-Hu-oth-THREE)
Gock?Oz1 (Gock-QUESTION_MARK-Oz-ONE)
Hilt]owIc6 (Hilt-RIGHT_BRACKET-ow-Ic-SIX)
Wowt/onk6 (Wowt-SLASH-onk-SIX)
Qualk4On< (Qualk-FOUR-On-LESS_THAN)
Nerd4twit; (Nerd-FOUR-twit-SEMICOLON)
Anonymous
Sep 23rd 2013
1 decade ago
Anonymous
Sep 23rd 2013
1 decade ago
AY-BE-SEA-E-deeeeee-F ? I have heard of "I before E except after C", but "lower-E before lower-D" ? Is this an intentional part of your implementation of the algorithm?
Anyway, if you are omitting '1/I/l' and '0/O', then you should omit '5/S' and 'B/8' and 'C/Q/O', so that your over-50-years-pointy-haired-boss with less-than-optimal eyesight and needing-to-be-updated prescription-lenses and a funky on-screen font won't call you at home in the middle of the night, after getting locked-out for mis-entering a password "too many" times.
Or, maybe it's my fault, for trying to read too-many 25-character Microsoft product-keys when helping friends do a re-install of "best-practises-nuked-after-being-compromised" copy of Windows. Was the 17th-of-25 character a Q? an O? a C? a B? an 8? Arrgghh!
Anonymous
Sep 23rd 2013
1 decade ago
Anonymous
Sep 23rd 2013
1 decade ago
Anonymous
Sep 23rd 2013
1 decade ago
Fixed now!
Anonymous
Sep 24th 2013
1 decade ago
Absolutely nothing against this site in particular - it's the concept that I have personal doubt trepidation with.
Anonymous
Sep 24th 2013
1 decade ago