10.4: Random password widgets may not be random

Sep 02, '05 09:24:00AM

Contributed by: Anonymous

Tiger only hintThe widget KeychainHelper is supposed to be a random password generator. If you install it and set it up the exact same way, however, you will notice that the passwords are not random!

Upon inspection of the code, the application uses JavaScript's Math.random() method, which doesn't take a seed. What this means is that any time the app is re-installed, or the Dock is restarted, the cycle of pseudo-random choices is restarted. Since you restart the Dock each time you reboot your computer your password is likely one of...

That is, assuming you use the same settings as I do -- twelve characters in length, all numbers and letters in both upper and lower case. Any widget that uses Math.random() is not the best choice for security. This is clearly a weakness of JavaScript's pseudo-random number generator and its lack of a seed. Hence, until someone comes out with a widget that uses a Cocoa bundle, as opposed to JavaScript, to generate the random numbers, I think we all should refrain from using them. After all, what is the point in having a "random" password if it is the same as everyone elses' "random" password?

[robg adds: There definitely seems to be an issue with JavaScript and random password generation, as I found another widget (called Password Generator) that's no longer available due to the same non-random-password issue. Both Apple's Dashboard site and DashboardWidgets.com list a number of such password generating widgets; if you're going to use one, you might want to test the randomness of the results before relying on the tool.]

Comments (36)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20050829193835465