10-07-2007
Quote:
Originally Posted by
caiser
Whats wrong with:
[code]cat /dev/urandom| .....
Since you asked, the problems start with your use of /dev/urandom. As one example, see "Analysis of the Linux Random Number Generator", March 6, 2006 by Gutterman, Pinkas, and Reinman.
Quote:
Linux is the most popular open source project. The Linux random number generator is part of the kernel of all Linux distributions and is based on generating randomness from entropy of operating system events. The output of this generator is used for almost every security protocol, including TLS/SSL key generation, choosing TCP sequence
numbers, and file system and email encryption. Although the generator is part of an open source project, its source code (about 2500 lines of code) is poorly documented, and patched with hundreds of code patches. We used dynamic and static reverse engineering to learn the operation of this generator. This paper presents a description of the underlying algorithms and exposes several security vulnerabilities. In particular, we show an attack on the forward security of the generator which enables an adversary who exposes the state of the generator to compute previous states and outputs. In addition we present a few cryptographic flaws in the design of the generator, as well as measurements of the actual entropy collected by it, and a critical analysis of the use of the generator in Linux distributions on disk-less devices.
In addition, your generator will not constrain its output to produce passwords that are easy for a human to remember.
I really encourage anyone who thinks that they have a method of generating random passwords to formally test that assumption. My script's output has passed the Diehard suite. And here is a clue, you need a random number generator that can pass Diehard. I am not aware of any version of unix or linux that comes with any random number generator that can do that. Passing Diehard is tough. No linear congruential generator, such as rand(), will even come close.
Note that even if /dev/urandom is reengineered to output random numbers, the fact that other users on the system can examine the current state of the generator and then compute previous states continues to be a problem. You really need a method that will deliver a stream of random numbers to you and only to you.
10 More Discussions You Might Find Interesting
1. Programming
How to generate a random integer with specific range(for example, from 1 to 1000)?
Also, how to convert a floating point number into a integer? (2 Replies)
Discussion started by: MacMonster
2 Replies
2. Programming
I need a function to generate a random alphanumeric password in C code. It needs to be between 6-8 characters and follow the following rules:
Reject if same char appears # time: 4 or more
Reject if same char appears consecutively: 3 or more
I have the following random password working for... (2 Replies)
Discussion started by: vjaws
2 Replies
3. Shell Programming and Scripting
Hi, Guz!
I'm working on a scripts compiler which needs a function to generate random strings. I think REGX may be a good solution to restrict the string format. Before DIYing I'd like asking for any existing libs or codes.
Any help will be appreciated! (7 Replies)
Discussion started by: wqqafnd
7 Replies
4. Programming
I saw this formula to generate random number between two specified values in shell script.the following.
$(((RANDOM%(max-min+divisibleBy))/divisibleBy*divisibleBy+min))
Give a example in book.
Generate random number between 6 and 30.like this.
$(((RANDOM%30/3+1)*3))
But I have a... (1 Reply)
Discussion started by: luoluo
1 Replies
5. Ubuntu
Hi
I am new to expect. Please if any one can help on my issue its really appreciable. here is my issue:
I want expect script for random passwords and random commands generation.
please can anyone help me?
Many Thanks in advance (0 Replies)
Discussion started by: vanid
0 Replies
6. Programming
hi guys,
I am writing a c program that generates a two dimensional array to make matrix and a vector of random numbers and perform multiplication. I can't figure out whats wrong with my code. It generates a matrix of random numbers but all the numbers in the vector array is same and so is the... (2 Replies)
Discussion started by: saboture88
2 Replies
7. Shell Programming and Scripting
How would you use bash to generate a random 32 digit number base 16?
Like this one:
0cc06f2fa0166913291afcb788717458 (8 Replies)
Discussion started by: locoroco
8 Replies
8. Shell Programming and Scripting
i want to generate a random number through a script, and even if anyone reads the script, they wont be able to figure out what the random number is. only the person who setup the script would know it.
something like this could work: random
the full thread is here:
... (13 Replies)
Discussion started by: SkySmart
13 Replies
9. Shell Programming and Scripting
Need to use dd to generate a large file from a sample file of random data. This is because I don't have /dev/urandom.
I create a named pipe then:
dd if=mynamed.fifo do=myfile.fifo bs=1024 count=1024
but when I cat a file to the fifo that's 1024 random bytes:
cat randomfile.txt >... (7 Replies)
Discussion started by: Devyn
7 Replies
10. Shell Programming and Scripting
Hi,
Is anybody experience generate a pair of random number by using awk command?
I wanna to generate a pair of random number (range from 1 to 4124) and repeats it 416 times.
Desired output
2 326
123 1256
341 14
3245 645
.
.
.
I did write the below command:
awk... (5 Replies)
Discussion started by: perl_beginner
5 Replies
PWGEN(1) General Commands Manual PWGEN(1)
NAME
pwgen - generate pronounceable passwords
SYNOPSIS
pwgen [ OPTION ] [ pw_length ] [ num_pw ]
DESCRIPTION
The pwgen program generates passwords which are designed to be easily memorized by humans, while being as secure as possible. Human-memo-
rable passwords are never going to be as secure as completely completely random passwords. In particular, passwords generated by pwgen
without the -s option should not be used in places where the password could be attacked via an off-line brute-force attack. On the other
hand, completely randomly generated passwords have a tendency to be written down, and are subject to being compromised in that fashion.
The pwgen program is designed to be used both interactively, and in shell scripts. Hence, its default behavior differs depending on
whether the standard output is a tty device or a pipe to another program. Used interactively, pwgen will display a screenful of passwords,
allowing the user to pick a single password, and then quickly erase the screen. This prevents someone from being able to "shoulder surf"
the user's chosen password.
When standard output (stdout) is not a tty, pwgen will only generate one password, as this tends to be much more convenient for shell
scripts, and in order to be compatible with previous versions of this program.
In addition, for backwards compatibility reasons, when stdout is not a tty and secure password generation mode has not been requested,
pwgen will generate less secure passwords, as if the -0A options had been passed to it on the command line. This can be overriden using
the -nc options. In the future, the behavior when stdout is a tty may change, so shell scripts using pwgen should explicitly specify the
-nc or -0A options. The latter is not recommended for security reasons, since such passwords are far too easy to guess.
OPTIONS
-0, --no-numerals
Don't include numbers in the generated passwords.
-1 Print the generated passwords one per line.
-A, --no-capitalize
Don't bother to include any capital letters in the generated passwords.
-a, --alt-phonics
This option doesn't do anything special; it is present only for backwards compatibility.
-B, --ambiguous
Don't use characters that could be confused by the user when printed, such as 'l' and '1', or '0' or 'O'. This reduces the number
of possible passwords significantly, and as such reduces the quality of the passwords. It may be useful for users who have bad
vision, but in general use of this option is not recommended.
-c, --capitalize
Include at least one capital letter in the password. This is the default if the standard output is a tty device.
-C Print the generated passwords in columns. This is the default if the standard output is a tty device.
-N, --num-passwords=num
Generate num passwords. This defaults to a screenful if passwords are printed by columns, and one password.
-n, --numerals
Include at least one number in the password. This is the default if the standard output is a tty device.
-H, --sha1=/path/to/file[#seed]
Will use the sha1's hash of given file and the optional seed to create password. It will allow you to compute the same password
later, if you remember the file, seed, and pwgen's options used. ie: pwgen -H ~/your_favorite.mp3#your@email.com gives a list of
possibles passwords for your pop3 account, and you can ask this list again and again.
WARNING: The passwords generated using this option are not very random. If you use this option, make sure the attacker can not
obtain a copy of the file. Also, note that the name of the file may be easily available from the ~/.history or ~/.bash_history
file.
-h, --help
Print a help message.
-s, --secure
Generate completely random, hard-to-memorize passwords. These should only be used for machine passwords, since otherwise it's
almost guaranteed that users will simply write the password on a piece of paper taped to the monitor...
-v, --no-vowels
Generate random passwords that do not contain vowels or numbers that might be mistaken for vowels. It provides less secure pass-
words to allow system administrators to not have to worry with random passwords accidentally contain offensive substrings.
-y, --symbols
Include at least one special character in the password.
AUTHOR
This version of pwgen was written by Theodore Ts'o <tytso@alum.mit.edu>. It is modelled after a program originally written by Brandon S.
Allbery, and then later extensively modified by Olaf Titz, Jim Lynch, and others. It was rewritten from scratch by Theodore Ts'o because
the original program was somewhat of a hack, and thus hard to maintain, and because the licensing status of the program was unclear.
SEE ALSO
passwd(1)
pwgen version 2.05 January 2006 PWGEN(1)