> void randpasswd( char *passwd )
> {
> int i;
> char passwd[9];
>
> srand( time( NULL ));
Do NOT use this!
The problem is that using time(NULL) as a seed for
random generates a mere 86,400 states per day, and
604,800 states per week. So if you know that a user
changed their password anytime in a given week, you
can try all the passwords that your password generator
would produce that week -- in well under a second.
If you are *EVER* using a "random" number to generate
a cryptographic key (passwords, arguably, are such) then
the pseudorandom number generator should be
cryptographically strong. That means that the inputs into
the PRNG should be difficult to reproduce or brute force
search.
Some good PRNGs:
-> a geiger counter with a serial port, run through MD5 or DES
-> a video camera pointed at a lava lamp sampled every
1/30sec with a framegrabber, folded repeatedly
through MD5 or DES
-> /dev/random on many lightweight UNIXes
-> a script such as:
( ls -alt /dev /tmp /var/tmp;
ps -auxww;
netstat -i;
netstat -an ) | md5
> Now, the statiticians will complain about the rand() functions, but
> it should
I barely passed my 2 semesters of stats so I don't qualify
as one. The problem, however, isn't in the realm of stats,
it's just plain old security. rand() doesn't return very "good"
random numbers, but in the case of your example, the
problem is that your generator won't return very many
passwords in a given time period. If you're going to tell
someone how to do something, tell them how to do it
right.
mjr.
-----
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
<A HREF=http://www.clark.net/pub/mjr>Personal</A>
<A HREF=http://www.nfr.net>Work</A>
<A HREF=http://www.clark.net/pub/mjr/websec>New Book!!</A>
Follow-Ups:
|
|
