1. Ports
  2. Port 129

Port 129: PWDGEN — The Forgotten Password Whisperer

What Port 129 Does

Port 129 is assigned to PWDGEN, the Password Generator Protocol. It is a well-known port in the 0-1023 range, meaning it was formally registered by IANA for a specific service.

That service is almost certainly not running on any machine you will ever encounter.

But it existed. And the problem it tried to solve is still unsolved forty years later.

The Protocol

PWDGEN is defined in RFC 9721, published in January 1986 by F. Wancho of White Sands Missile Range. The protocol is disarmingly simple:

TCP version: A server listens on port 129. A client connects. The server generates six randomly created, eight-character, pronounceable "words" and sends them back, each separated by a carriage return and line feed. Then the server closes the connection. No authentication. No dialog. No negotiation.

UDP version: A server listens on port 129. When it receives any datagram, it responds with the same six words in a reply datagram.

That is the entire protocol. Connect, receive six passwords, disconnect. The RFC is two pages long.

The Problem It Was Solving

By the mid-1980s, system administrators on the ARPA Internet had noticed something that remains true today: users choose terrible passwords. The RFC states it plainly: "user-selected login passwords were too easy to guess for even casual penetration attempts."1

Some sites tried dictionary filtering, rejecting passwords that matched common words. Others tried generating random passwords, but those passwords were impossible to remember because they looked like line noise.

Wancho's insight was that passwords could be both random and pronounceable. The PWDGEN algorithm generated eight-character strings that followed English phonetic patterns, words that had never existed but that your mouth could form and your brain could retain. The algorithm was implemented in FORTRAN-77 and distributed to system administrators.

The protocol offered six words per request so users could pick the one that felt right. And because multiple sites could run PWDGEN servers, you could randomly select which server to query, making the generation process itself harder to predict.

The Seed That Mattered

The RFC contains a detail that reveals genuine security thinking for its era. It specifies that the random seed must be:

  • System-wide and persistent, updated after each access
  • Greater than 32 bits for adequate randomness
  • Never based on time-of-day clocks, which the RFC explicitly rejects as unacceptable

In 1986, someone at a missile range was already thinking about the difference between pseudorandomness and actual unpredictability. The concern about time-based seeds was prescient. Decades later, weak random number generators seeded with timestamps would become one of the most common sources of cryptographic vulnerability.

Why It Disappeared

PWDGEN solved a real problem, but it solved it at the wrong layer. A network service that hands out passwords has an obvious weakness: the passwords travel over the network in plaintext. Anyone listening on the wire between you and the PWDGEN server could see every password it suggested.

As networks grew less trusted and more surveilled, the idea of a remote password generation service became untenable. Password generation moved into local software, then into operating systems, and eventually into the password managers that now generate random strings far longer and more complex than PWDGEN's eight-character words.

But the core idea, that computers should generate passwords for humans rather than the other way around, is now universal. Every "Suggest Strong Password" button in every browser is a descendant of port 129.

Security Considerations

Port 129 should not be open on any modern system. The PWDGEN protocol is obsolete and provides no encryption or authentication. If you find port 129 listening on a machine, investigate immediately. It is almost certainly not running a legitimate PWDGEN server.

To check if anything is listening on port 129:

# Linux
sudo ss -tlnp | grep :129
sudo netstat -tlnp | grep :129

# macOS
sudo lsof -i :129

# Windows
netstat -an | findstr :129

Any unexpected listener on a well-known port that should be silent is worth investigating.

The Well-Known Port Range

Port 129 sits in the well-known port range (0-1023), which is controlled by IANA and historically required elevated privileges to bind to on Unix systems. These ports were reserved for services considered important enough to deserve a permanent, universally recognized address.

Not every well-known port became well-known. Port 129 is one of many in this range that served a purpose in the early Internet but faded as the network evolved. These quiet ports are reminders that the port number space is a historical record. Every assignment reflects a moment when someone believed a service was important enough to claim a number for.

Related Ports

  • Port 17 (QOTD) — Quote of the Day, another simple "connect and receive" protocol from the same era
  • Port 19 (CHARGEN) — Character Generator, a testing protocol with a similar connection model
  • Port 113 (AUTH) — Authentication Service, another early attempt at network identity

Frequently Asked Questions

Previous

Port 128: GSS X License Verification — A Name on an Empty Door

Next

Port 130: Cisco FNATIVE — The Protocol Cisco Never Explained

Was this page helpful?

😔
🤨
😃
Port 129: PWDGEN — The Forgotten Password Whisperer • Connected