Secure password generation...blasphemy!
RW
rwmaillists at googlemail.com
Tue Aug 4 16:42:56 UTC 2009
On Mon, 3 Aug 2009 20:28:52 -0600
Modulok <modulok at gmail.com> wrote:
> However, wouldn't hashing bytes from /dev/random be quite secure? The
> hash function would cover any readily apparent patterns, if they were
> found to existed.
That's fine, the only issue is that hex digits lead to long passwords
for a given stength.
Most password generators are OK, provided that they ultimately
derive a sufficiently strong seed from /dev/random and don't do
anything stupid, this includes things like jot, which uses the
arc4random library.
The main problem is that there are still a few generators around, IIRC
sysutils/pwgen is one, that still seed from the time and the pid, so I
wouldn't use a generator unless I'd seen the source.
More information about the freebsd-questions
mailing list