Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the '10.4: Random password widgets may not be random' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: Random password widgets may not be random
Authored by: segdeha on Sep 02, '05 04:31:05PM

I'm the author of Make-A-Pass and I use the following algorithm to achieve "good enough" randomness:


// The Central Randomizer 1.3 (C) 1997 by Paul Houle (houle@msc.cornell.edu)
// See:  http://www.msc.cornell.edu/~houle/JavaScript/randomizer.html
// Usage: rand(n) returns random integer between 1 and n

rnd.today = new Date();
rnd.seed  = rnd.today.getTime();

function rnd() {
   rnd.seed = (rnd.seed*9301+49297) % 233280;
   return rnd.seed/(233280.0);
}

function rand(number) {
   return Math.ceil(rnd()*number);
}

I believe this gets around the problem stated by the original poster, though I like the suggestion of using a command-line utility to generate the randomness.

Feel free to contact me if you have any suggestions for Make-A-Pass (or any of my widgets, for that matter!).

-Andrew
-----
andrew@hedges.name / http://andrew.hedges.name/

[ Reply to This | # ]

10.4: Random password widgets may not be random
Authored by: Felix on Sep 03, '05 11:32:30AM

Glad to hear Make-a-Pass doesn't have this problem...because I've been using it since you first posted it. Very handy Widget.



[ Reply to This | # ]
still insecure
Authored by: SOX on Sep 06, '05 02:08:21PM

One can subvert this as follows.
look at the modification date on the users password entry. seed this along with times close by into your algorithm and you will get a modest list of possible passwords. hash alll these and see if they match the stored hash.



[ Reply to This | # ]
Insecure no more!
Authored by: segdeha on Sep 18, '05 11:39:41PM

FYI, I've updated Make-A-Pass to get its random seed from /dev/random. Thanks for the enlightening discussion, MacOSXHints.com readers!

You can download Make-A-Pass from the following URL:

http://andrew.hedges.name/widgets/

Thanks!
-Andrew



[ Reply to This | # ]