home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!sun-barr!ames!elroy.jpl.nasa.gov!sdd.hp.com!uakari.primate.wisc.edu!zaphod.mps.ohio-state.edu!pacific.mps.ohio-state.edu!cis.ohio-state.edu!rutgers!concert!duke!trt
- From: trt@duke.cs.duke.edu (Tom Truscott)
- Newsgroups: sci.crypt
- Subject: Re: Secure password generation
- Message-ID: <716614576@romeo.cs.duke.edu>
- Date: 16 Sep 92 03:36:17 GMT
- References: <1992Sep12.020756.17214@morwyn.uucp> <256379411DN5.61R@tanda.isis.org>
- Distribution: na
- Organization: IBM RTP
- Lines: 29
-
-
- This is not a secure password generator!
- If there are no arguments it seeds the pseudo-random number generator
- with one of 32k different values.
- Trial decryption is thus trivial.
- (If there *are* arguments it probably seeds from an even smaller range.)
-
- You don't need a better pseudo-random number generator,
- you need a better source of randomness. A high-resolution clock
- might give you 32 unguessable bits, but that is not enough.
- Another possibility is to have the user type something and measure
- inter-character times with a busy loop:
- /* this is a crude example */
- for (8 times) {
- ask user to type something
- for (i = 0; no_keypress; i++)
- ;
- the low-order value of "i" is probably quite random now
- }
- This produces 64 unguessable bits (one might hope) that could be used
- to seed a good PRNG, or probably even a crummy one by periodically doing:
- srand(rand() ^ some_of_the_unguessable_bits);
-
- It is amazing how easy it is to break most of the posted password generators.
- But then again, it is an easy trap to fall into.
- Someone please post a really strong generator,
- and try and make it widely available, and become famous.
-
- Tom Truscott
-
