Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the '10.4: Random password widgets may not be random' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: Random password widgets may not be random
Authored by: Hanji on Sep 05, '05 02:12:10PM

For the sake of paranoia, I'd be wary of using any online source of randomness to generate passwords. You don't know what they may or may not be logging, and who may or may not be sniffing somewhere on the route between you and them.



[ Reply to This | # ]
10.4: Random password widgets may not be random
Authored by: KenaiTheMacFan on Sep 11, '05 05:39:33PM

Get about 200 random numbers. Take the last few numbers and use them to determine which of the 200 numbers to use in making the password.

---
Ian



[ Reply to This | # ]
10.4: Random password widgets may not be random
Authored by: cane on Dec 13, '05 06:01:16AM

Geeze. If someone sniffs your traffic, he also knows what algorithm you use. This means he also knows which of the 200 numbers you'll finally use.
(The method you described is useful for decreasing correlation of some give pseudo-random generator, but not for increasing security)
You could, however, hash the online random number together with a local source of randomness, in order to have good randomness and security. However, I think that your local /dev/rand is secure enough.



[ Reply to This | # ]
10.4: Random password widgets may not be random
Authored by: jacobolus on Dec 13, '05 07:14:35AM

Except if you get a 10 MB random bit dump from random.org, and then use part of the file to pick where in the file to pull out a few bytes of random data, it's inconcievable that someone with a packet sniffer could figure out your strategy. That said, /dev/rand is fine AFAICT



[ Reply to This | # ]
10.4: Random password widgets may not be random
Authored by: jacobolus on Dec 13, '05 07:15:50AM

Oh, i see, this is for a widget. Yeah, you're right. It would need to be combined with a local source.



[ Reply to This | # ]