Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the '10.4: Random password widgets may not be random' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: Random password widgets may not be random
Authored by: cane on Dec 13, '05 06:01:16AM

Geeze. If someone sniffs your traffic, he also knows what algorithm you use. This means he also knows which of the 200 numbers you'll finally use.
(The method you described is useful for decreasing correlation of some give pseudo-random generator, but not for increasing security)
You could, however, hash the online random number together with a local source of randomness, in order to have good randomness and security. However, I think that your local /dev/rand is secure enough.



[ Reply to This | # ]
10.4: Random password widgets may not be random
Authored by: jacobolus on Dec 13, '05 07:14:35AM

Except if you get a 10 MB random bit dump from random.org, and then use part of the file to pick where in the file to pull out a few bytes of random data, it's inconcievable that someone with a packet sniffer could figure out your strategy. That said, /dev/rand is fine AFAICT



[ Reply to This | # ]
10.4: Random password widgets may not be random
Authored by: jacobolus on Dec 13, '05 07:15:50AM

Oh, i see, this is for a widget. Yeah, you're right. It would need to be combined with a local source.



[ Reply to This | # ]