Date: Mon, 23 Nov 1998 08:12:02 +1100 From: Peter Jeremy <peter.jeremy@auss2.alcatel.com.au> To: hackers@FreeBSD.ORG Subject: Re: freebsd-hackers-digest V4 #314 Message-ID: <98Nov23.081136est.40323@border.alcanet.com.au>
next in thread | raw e-mail | index | archive | help
On Fri, 20 Nov 1998 08:39:16 -0800 (PST), EE <ee123@rocketmail.com> wrote: >I'm looking for a password generator. And various people responded with things like: "it's really piece of cake to write that kind of program in perl or C", and a couple of people posted sample code. Unfortunately, all of the postings I've seen so far suffer from a fatal flaw - all of them use pseudo-random numbers and hence generate pseudo-random passwords. This means that the password can be fairly readily broken by knowing the algorithm used to generate the password. (On the positive side, one of them did attempt to increase the entropy of the generated password, but srandom() only provides 32-bits, which is trivial to crack nowadays. On the negative side, another program made no attempt to seed the random number, thus providing a conveniently repeatable list of passwords for any cracker). A true random password requires random numbers, which are very difficult to generate within a computer. Depending on your needs, /dev/random may be adequate (see random(4)). srandomdev(3) is a start, but unfortunately uses /dev/urandom instead of /dev/random and can quietly fall back to srandom(3) in some cases. Peter -- Peter Jeremy (VK2PJ) peter.jeremy@alcatel.com.au Alcatel Australia Limited 41 Mandible St Phone: +61 2 9690 5019 ALEXANDRIA NSW 2015 Fax: +61 2 9690 5247 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?98Nov23.081136est.40323>