[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Noob dumb question (extending emacs)

From: Emanuel Berg
Subject: Re: Noob dumb question (extending emacs)
Date: Sat, 23 Oct 2021 20:22:58 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/29.0.50 (gnu/linux)

Yuri Khan wrote:

>> If you use Emacs' `random' to generate a password, an
>> attacker would need to have access to your system to
>> predict the result. He would at least have to know exactly
>> when you started your Emacs session (that time is used to
>> generate the seed). Or he would need much more
>> pseudo-random numbers from you.
>> Without any of these, no chance to guess, because there are
>> too many possible pseudo-random numbers when you don't know
>> at which position in the sequence the generator started.
> The position in the sequence, aka the random seed, contains
> a certain number of bits. In Emacs, as far as I can tell,
> best case, the random seed is 48 bits. Which means, no
> matter how long a password you (the user) generate, it still
> contains only 48 bits of entropy.

#! /bin/zsh
$ echo $(( 2**48 ))

Or Elisp:
(expt 2 48)
281474976710656 (#o10000000000000000, #x1000000000000)

> It is *not* okay to offer a library for password generation
> using a weak generator to other people without explaining
> its entropy characteristics so that they could assess
> their risk.

But what is the method stipulated then, we'll just do
a `random-passwd' with that ...

underground experts united

reply via email to

[Prev in Thread] Current Thread [Next in Thread]