Timeline for My first random password generator
Current License: CC BY-SA 4.0
14 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Oct 3, 2019 at 12:27 | comment | added | SilverbackNet | I guess I've used gcc too long, I didn't realize VC still defines it as 32767. | |
| Oct 3, 2019 at 11:17 | comment | added | Voo | @SilverbackNet Huge range of rand? Rand_Max is only guaranteed to give 32767 unique values which is trivial to hack. The whole function specification is horribly broken, don't blame implementations that don't want to change a broken function just to marginally improve security. | |
| Oct 2, 2019 at 16:23 | comment | added | dan04 |
Given that the program is intended "just for the sake of learning the C language", I wouldn't focus too much on the entropy issue. But yeah, definitely choose a better RNG seed than time(NULL) if you intend to actually use the program to generate passwords.
|
|
| Oct 2, 2019 at 4:07 | comment | added | SilverbackNet | Using srandom(time(NULL)) is clearly the limiting bug; if used server-side, it opens the barn door for attackers to ask for a password reset and try just a handful of options before succeeding. Client or server-side, it means instantly pwning a new sign-up. A better source of entropy, even if you don't resort to OS/hardware sources, is clearly preferred, but using rand alone isn't a problem given the huge range of rand mapped to a tiny range of symbols, unless the lib implementation of rand is horribly broken. The point of a password generator is just reasonable entropy, not maximum. | |
| Oct 1, 2019 at 16:13 | comment | added | Voo | @Peter There've been successful real-world attacks on people using a weak crytographic RNG that was initialized based on the current time (even when they added the PID to it). What Martin is talking about is an absolutely practical attack. | |
| Oct 1, 2019 at 16:10 | comment | added | Voo |
There's also the age old random() % <some random number > error.
|
|
| Oct 1, 2019 at 9:44 | comment | added | Martin Bonner supports Monica |
@PeterJennings The srandom function is initialized with the return from time. If we know the year the password is generated, there are fewer than 32 million possible passwords. You are also wrong about the "knowing the exact random algorithm won't help you crack the password" - there are many, many passwords that using random cannot generate even if the initial seed is adequate.
|
|
| Oct 1, 2019 at 1:39 | comment | added | Reinderien | @PeterJennings Key and password generation are absolutely activities requiring cryptographic strength. Given that password generation requires a tiny amount of data and only needs to occur once, the marginal added cost and complexity are more than worth it - even if it brings password attacks from "infeasible" to "extremely infeasible". | |
| Oct 1, 2019 at 0:03 | comment | added | Peter Jennings |
Agreed that the C library rand function is cryptographically weak, but this isn't cryptography. Even knowing the exact random algorithm used it wouldn't help you crack the password, particularly as you don't know any of it. Taking the remainder of the generated number mod the length of the character set would further obfusticate things. Knowing nothing more, you would still have to run through all RAND_MAX possibilities.
|
|
| Sep 30, 2019 at 20:46 | history | edited | Reinderien | CC BY-SA 4.0 |
added 358 characters in body
|
| Sep 30, 2019 at 20:44 | comment | added | Reinderien |
return terminates the function, so nothing after it will be run. But you're correct to identify that, in general, allocated memory should be freed. In this case, it would be the responsibility of main to do that.
|
|
| Sep 30, 2019 at 20:42 | comment | added | user210517 | Thanks, I will write the Allocation Failure test for the malloc(). About the free(), I read that after using malloc() to manual allocate some memory, I also need to manualy free the memory after using it. I put free() after the return because when I put it before, the string "random_password" was returned empty, I don't know why, maybe the free() before "deleted" the variable in some way. The random() function is Linux only. | |
| Sep 30, 2019 at 20:37 | vote | accept | CommunityBot | ||
| Sep 30, 2019 at 20:33 | history | answered | Reinderien | CC BY-SA 4.0 |