help-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

About randomity, entropy, random passwords - was Re: Noob dumb question

From: Jean Louis
Subject: About randomity, entropy, random passwords - was Re: Noob dumb question (extending emacs)
Date: Mon, 25 Oct 2021 23:29:43 +0300
User-agent: Mutt/2.0.7+183 (3d24855) (2021-05-28) 
* Yuri Khan <yuri.v.khan@gmail.com> [2021-10-25 23:12]:
> On Tue, 26 Oct 2021 at 02:25, Jean Louis <bugs@gnu.support> wrote:
> 
> > Yuri and Michael H., you are very right, too simple password
> > generation without enough entropy produces duplicate passwords.
> 
> What tipped you to this conclusion?

I did the `dotimes' and found same passwords without goods seed. Then
I have improved the seed.

> Still wrong!

You still cannot guess the next password coming... with or without
good seed. But your tips did make it more random on my side. ;-p

> > (defun rcd-read-urandom (&optional length)
> >   "I am also free to modify the Emacs Lisp unlimited times."
> >   (shell-command-to-string "head -n 1 /dev/urandom"))
> 
> Here you read the first newline-delimited line of /dev/urandom, which
> may be a lot. If you have to use ‘head’, use it with -c and give a
> byte count.

That one I forgot the same time I wrote it, it was just thinking. I
don't like external commands.

> > (defun rcd-password-generate-1 (string)
> >   "Return capitalized or downcased single symbol from a string"
> >   (random (format "%s" (rcd-read-urandom)))
> 
> Here you seed the Emacs random generator with the entropy. However,
> the Emacs random generator can only use 48 bits of entropy in the best
> case, so it grabs exactly that and drops the remainder on the floor.

It may be, I dropped that one.

> >   (let* ((max (length string))
> >          (rnd (random max))
> >          (single (substring string rnd (+ rnd 1))))
> >     single))
> 
> Then you proceed to generate a random password using the seeded
> pseudo-random generator. Which is a step up from an unseeded
> pseudo-random generator (you could generate a series of passwords from
> a single seed, making it easier for the attacker who knows one to
> guess others) but still not as random as you would get by just
> converting raw entropy into printable characters.

I'll stick to random Emacs uptime concatenated to microseconds,
nanoseconds and milliseconds.


-- 
Jean

Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns

In support of Richard M. Stallman
https://stallmansupport.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]