6

Does anyone have an opinion on using UUIDs as passwords? This is intended for accounts created for external users, such as customer access to private SFTP folders. Or are people using public key instead? These users don't have a shell and are chroot'd to their directory.

From the manpage:

UUIDs are 128 bit numbers which are intended to have a high likelihood of uniqueness over space and time and are computationally difficult to guess. They are globally unique identifiers which can be locally generated without contacting a global registration authority. UUIDs are intended as unique identifiers for both mass tagging objects with an extremely short lifetime and to reliably identifying very persistent objects across a network.

I'm on Ubuntu 9.10, but the OSSP uuid package is available for most *nix distributions.

mikemaccana
  • 3,070
  • 5
  • 24
  • 29

3 Answers3

7

There are many ways to generate a UUID, some of which are likely highly guessable. For instance, the current time is often a component and sitting right there, as is the machine's MAC address, etc. Don't confuse unique with unguessable.

I would not try to re-purpose UUIDs for passwords, but instead choose a strong password generator. If you're thinking about using a UUID for a password, clearly being able to remember it is not important, so I'd choose something like the output of MD5 with a few bytes from /dev/random or /dev/urandom:

dd if=/dev/random bs=128 count=1 | md5

Or, better yet, use a tool designed specifically for generating strong passwords. Ideally ones that users can remember without writing them down.

Michael Graff
  • 6,588
  • 1
  • 23
  • 36
  • 1
    Yes, in the past I've used apg(1) to generate passwords, which isn't bad. What's happening here is that users are using WinSCP, and saving the password in their profile. The risk of someone else using their account is limited to them being able to read that customers' reports - the shell is /bin/false, and I'm using the new chroot capabilities of OpenSSH. So memorability isn't really a concern. –  Dec 16 '09 at 12:08
  • apg is a great tool. Thanks for suggesting it. – site80443 Sep 17 '22 at 22:23
5

The higher the level of complexity in the password the higher the chance that the user will write it down on a post it note and stick it to their monitor, that is in addition the the support costs when the user forgets the password.

When using SSH Keys some form of password is recommended (but not required) to secure the key. Pass phrases are easier to remember than passwords so something like:

  • Firefox&is&JUST&a&browser
  • NotTheFirstHackI'dTry
  • The Quick Brown Fox

Will both reduce the incidence of calls to reset forgotten passwords, and improve security because your users are going to be able to remember them without writing them down.

Richard Slater
  • 3,228
  • 2
  • 28
  • 42
  • It should be noted that passwords are not strictly required to secure SSH keys, they're completely optional. – pboin Dec 16 '09 at 11:14
  • Updated, not using a password significantly reduces the security of the system, whilst technically it may not be required I would be surprised if company policy didn't require it. – Richard Slater Dec 16 '09 at 11:26
  • Yea, but in his case he knows people are storing the passwords in their profile, so an unprotected SSH key is only slightly worse than storing the key in the registry or some other file. – Michael Graff Dec 17 '09 at 20:55
0

I think in theory, using random UUIDs for machine passwords, API keys and such is a good idea. But they need to be written down, or copy/pasted. They aren't great when people have to type them in. (but you said they are going to get saved)

The OSSP uuid command, by default, generates a version 1 UUID. This is based on the MAC address of the current machine and the current time. So not as secure as they look.

If you run uuid -n 10, which generates 10 UUIDs, you will see a lot of characters are the same.

If you do uuid -v4 this will give you a random UUID. Better than the default.

I've had a look at the source for OSSP UUID and I can't decide whether or not the randomness is good enough or not. The source has not been updated for 10 years, and there has been much research and viewpoints on making cryptographic random numbers since then. It is probably ok.

My favourite way to get a random uuid on a linux machine is cat /proc/sys/kernel/random/uuid

For the truly paranoid, you might also want to consider how much random data is available on the machine you are using. cat /proc/sys/kernel/random/entropy_avail You are looking for a big number, like more than 1000. If you are on a virtual machine, not doing much, you might struggle.

Tim Bray
  • 130
  • 4