Date: Mon, 3 Aug 2009 22:20:50 -0800 From: Mel Flynn <mel.flynn+fbsd.questions@mailing.thruhere.net> To: freebsd-questions@freebsd.org Subject: Re: Secure password generation...blasphemy! Message-ID: <200908032220.50964.mel.flynn%2Bfbsd.questions@mailing.thruhere.net> In-Reply-To: <64c038660908031928v15a76d15g5599e6f3fef936e1@mail.gmail.com> References: <64c038660908031928v15a76d15g5599e6f3fef936e1@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Monday 03 August 2009 18:28:52 Modulok wrote: > I wrote a python script which uses /dev/random, and hashes the output > with sha256. I then truncate the output to the desired length. > Blasphemy! According to the superstitious password crowd my passwords > are not very secure ... maybe. They aren't, because you reduce the random to a much less random, *because* you are hashing. You're much better off, using ctype to determine if the byte you got is typeable on a keyboard and if not getting the next byte. Or use an array of allowed characters and read the rands as integers modulus the size of the array. But as others have stated, you're reinventing the wheel, and even FreeBSD's adduser(8) can generate random passwords that are suitable for most uses. You should really answer Kurt's questions to determine how secure they should be. As far as Pseudo generators go, they will generate the same sequence for the same seed, so if the seed is guessable by an attacker, you should not use them. -- Mel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200908032220.50964.mel.flynn%2Bfbsd.questions>