Re: single user machine, one "user" now(?) has no password (I didn't do it). [edited for clarity]

> I've added some detail for context,

In this this rewritten email

On Fri, Feb 20, 2026, 1:09 PM Samuel <armemulasagna@gmail.com> wrote:

I've added some detail for context, sorry about the noise, I wrote that in the wee hours last night.

> No.

>Most likely your script is buggy.

Why?

I've been over the main script, there's not much there to be buggy.

I'm not seeing any problem with the password generator either; It should always output something.

There would have to be something different about the invocation that generated this user; I'm just not seeing how that's possible.

(password generator basically reads from /dev/random, discards some values, translating others into printable characters.)

On Fri, Feb 20, 2026, 12:26 PM Samuel <armemulasagna@gmail.com> wrote:

Perhaps can tell me if this seems plausible. I was using the snaphot from February 4.

I've added several users, over several days, using the exact same script (I wrote), with the only input being the username on the command line. The script also generates a random encrypted password -- which I can see by looking at master.passwd. And all the user accounts seemed to work (until the system became unresponsive).

Recently I saw that the last user to be created this way has no password! My best guess is an un-updated chromium parsed a compromised web page, that ... removed the password.

passwd(1) requires the current password if the user calling it is not the superuser.

It seems like pledge ought to be an obstacle.

The compromised user was not logged in (to my knowledge) by the time I gave up and shut down the computer.

I always kill all processes associated with these accounts when I log out.

The password generator takes printable characters from /dev/random, adding more as needed.

On Fri, Feb 20, 2026, 5:49 AM Samuel <armemulasagna@gmail.com> wrote:

I've added several users, over several days, using the exact same script, with the only input being the username on the command line.  The script also generates a random encrypted  password, which I can confirm by looking at master.passwd.  And all the user accounts seemed to work (until the system became unresponsive).

Recently I saw that the last user to be created this way has no password!  My best guess is an un-updated chromium parsed a compromised web page, that ... removed the password (was running a snapshot, not stable).

Does that seem plausible?

(The compromised user was not logged in (to my knowledge) when I gave up and shut down the computer.)