Secure password generation...blasphemy!
Mel Flynn
mel.flynn+fbsd.questions at mailing.thruhere.net
Tue Aug 4 06:20:53 UTC 2009
On Monday 03 August 2009 18:28:52 Modulok wrote:
> I wrote a python script which uses /dev/random, and hashes the output
> with sha256. I then truncate the output to the desired length.
> Blasphemy! According to the superstitious password crowd my passwords
> are not very secure ... maybe.
They aren't, because you reduce the random to a much less random, *because*
you are hashing.
You're much better off, using ctype to determine if the byte you got is
typeable on a keyboard and if not getting the next byte. Or use an array of
allowed characters and read the rands as integers modulus the size of the
array.
But as others have stated, you're reinventing the wheel, and even FreeBSD's
adduser(8) can generate random passwords that are suitable for most uses. You
should really answer Kurt's questions to determine how secure they should be.
As far as Pseudo generators go, they will generate the same sequence for the
same seed, so if the seed is guessable by an attacker, you should not use
them.
--
Mel
More information about the freebsd-questions
mailing list