On 19 Aug 1998, Jason L Tibbitts III wrote:
> JHC> If anyone writes this, note that you should really only use
> JHC> /dev/random for a seed.
> I don't agree. You should use it when you need a really random value and
> you're willing to take the hit. If you want to generate lots of numbers
> quickly then you should use it as a seed. If you want to generate a small
> set of very random numbers rarely (as in Majordomo's case), you should use
> it directly.
> Besides, I thought that when the entropy pool was exhausted, current
> versions just returned slightly less random data instead of blocking.
> OXymoron would probably know more; he was the initial advocate of using
> /dev/random on Linux to generate tokens. I argued against it for reasons
> of system dependency, but if someone wrote a transparent module...
/dev/urandom is as good as /dev/random as long as the entropy is not
depleted below a certain point. After that, urandom will continue to
generate numbers that are as secure as the hash function the kernel uses
(SHA1, IIRC), but random will block until enough entropy is accumulated so
that the contents of the entropy pool cannot be guessed even if you manage
to break the hash function. Which means /dev/urandom is appropriate for
all but the most stringent applications. Whether you consider your MJ
password the most stringent application or not is borderline. Either way,
it's an improvement on rand().
As for the module, this is quite doable, I might look into it if I have
time in the next week or so.
"Love the dolphins," she advised him. "Write by W.A.S.T.E.."