Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 3 Aug 2009 20:28:52 -0600
From:      Modulok <modulok@gmail.com>
To:        freebsd-questions@freebsd.org
Subject:   Secure password generation...blasphemy!
Message-ID:  <64c038660908031928v15a76d15g5599e6f3fef936e1@mail.gmail.com>

next in thread | raw e-mail | index | archive | help
I need a way to generate a lot of secure passwords. So, I read all
about it. Either people are getting way carried away, or I'm missing
something...

There seems to be a lot of superstition about entropy. People have
come up with quite creative ways at generating passwords using
everything from dice in a shoebox to radio static recorded with a mic,
to dedicated entropy hardware. Most seem to discourage using any
computer program to generate passwords. The reasoning is that
computers employ "only" pseudo-random number generator (PRNG,
henceforth).

I wrote a python script which uses /dev/random, and hashes the output
with sha256. I then truncate the output to the desired length.
Blasphemy! According to the superstitious password crowd my passwords
are not very secure ... maybe.

However, wouldn't hashing bytes from /dev/random be quite secure? The
hash function would cover any readily apparent patterns, if they were
found to existed. Both sha256 and yarrow are, to date, believed to be
cryptographically secure. (Assuming the implementations are correct.)
Therefore, using a cryptographically secure pseudo-random number
generator and an equally secure hash function should be damn well good
enough, right?

I'd think that listening for cosmic background radiation or
environmental infrared is drifting a little far from being in the
realm of practical. Right?

Just looking for any re-assurances.
-Modulok-



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?64c038660908031928v15a76d15g5599e6f3fef936e1>