Date: Mon, 3 Aug 2009 20:28:52 -0600 From: Modulok <modulok@gmail.com> To: freebsd-questions@freebsd.org Subject: Secure password generation...blasphemy! Message-ID: <64c038660908031928v15a76d15g5599e6f3fef936e1@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
I need a way to generate a lot of secure passwords. So, I read all about it. Either people are getting way carried away, or I'm missing something... There seems to be a lot of superstition about entropy. People have come up with quite creative ways at generating passwords using everything from dice in a shoebox to radio static recorded with a mic, to dedicated entropy hardware. Most seem to discourage using any computer program to generate passwords. The reasoning is that computers employ "only" pseudo-random number generator (PRNG, henceforth). I wrote a python script which uses /dev/random, and hashes the output with sha256. I then truncate the output to the desired length. Blasphemy! According to the superstitious password crowd my passwords are not very secure ... maybe. However, wouldn't hashing bytes from /dev/random be quite secure? The hash function would cover any readily apparent patterns, if they were found to existed. Both sha256 and yarrow are, to date, believed to be cryptographically secure. (Assuming the implementations are correct.) Therefore, using a cryptographically secure pseudo-random number generator and an equally secure hash function should be damn well good enough, right? I'd think that listening for cosmic background radiation or environmental infrared is drifting a little far from being in the realm of practical. Right? Just looking for any re-assurances. -Modulok-
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?64c038660908031928v15a76d15g5599e6f3fef936e1>