Comment On Securely Random Strings

Jay:

the beholder:

vahokif:

Just make a char[] and fill it with random numbers between 'a' and 'z', return it with the string constructor.

I can't find any numbers between 'a' and 'z'. Now what?

I see i, v, x, l, c, d, and m.

You're not limiting yourself to those new-fangled Hindu-Arabic numerals, are you? They're just a passing fad.

You're just a pissing fag! You fu...

Oh, wait... My apologies.

Sea Sharp, Waves Hurt:

Foo Bar:

Leper! Outcast! Unclean!

Thomas Covenant. Classy :).

God, no. Those were awful books.

This is bound to lead to Ovaltine.

http://images.smh.com.au/2012/04/12/3211657/hacker-353-200x0.jpg

Turns out she was Australian after all and likes nerds!

Foo Bar:

Leper! Outcast! Unclean!

However, as a WTF this one really isn't so awful. GeneratePassword uses decent randomness, and stripping out non-alphas is OK for a URL.

The real WTF is the Thomas Covenant reference.

wibble factory:

Hmmmm:

Hmmmm:

Assuming what someone else said is true is never a good idea as it often isn't. The 2nd param is the minimum number of non-alphanumerics not the maximum or actual number.

FTFM

from http://msdn.microsoft.com/en-us/library/system.web.security.membership.generatepassword.aspx

public static string GeneratePassword(
int length,
int numberOfNonAlphanumericCharacters
)

...even though it's specified in the docs that it's the minimum number of the alpha chars (not the actual) it's totally lame that the second parameter is called 'numberOfNonAlphanumericCharacters' and not 'minimumNumberOfNonAlphanumericCharacters' (or some shorter equivalent)

minNumNonAlphanumChars

Captcha: commoveo - as we get bald we start to use hairstyles called commeoveos

Unclean! Unclean!

Coffee Hound:

Code Challenge:
The shortest legible password generator that considers the following:
- Alpha only, or alpha numeric, or alpha-num + symbols
- Miminum and maximum length can be specified
- Minimum/maximum length of any group (alpha, num etc.) can be specified.
- Sufficiently random

Bonus points:
- No dictionary words from lang of choice
- Uniformly distributed over possible set of characters
And....
GO

I'll get you started....

string passwordGenerator(int type)

  switch(type)

  {  

    case alpha:

      cout << "Please enter a password containing letters only, that does not contain real words from the dictionary" << endl;

      cin >> password;

      return password;

    case alphanum:

      cout << "Please enter a password containing letters and numbers only, that does not contain real words from the dictionary" << endl;

      cin >> password;

      return password;

    case alpahnumsym:

            cout << "Please enter a password containing letters numbers and symbold, that does not contain real words from the dictionary" << endl;

      cin >> password;

      return password;

    default:

      /* Updated 12/4 for security */

      return "admin01"; //"qwe123"; //"blink182"

  }

}

Jay:

the beholder:

vahokif:

Just make a char[] and fill it with random numbers between 'a' and 'z', return it with the string constructor.

I can't find any numbers between 'a' and 'z'. Now what?

I see i, v, x, l, c, d, and m.

You're not limiting yourself to those new-fangled Hindu-Arabic numerals, are you? They're just a passing fad.

bcdef too for the heaxadecimally inclined

Anon:

public static string GeneratePassword (int length, int numberOfNonAlphanumericCharacters)

protected String getRanString()
{
return GeneratePassword(10,0);
}

The remaining code is useless because the 2nd argument asks for zero punctuation characters.

It asks for Yahtzee?

the beholder:

vahokif:

Just make a char[] and fill it with random numbers between 'a' and 'z', return it with the string constructor.

I can't find any numbers between 'a' and 'z'. Now what?

Use " and" as your password then.

Mason Wheeler:

"System.Web.Security.Membership.GeneratePassword"? Ugh. You think they could cram a few more levels of hierarchical namespacing into that if they tried? Just in case 5 isn't ugly enough for someone out there?

If you've never used .Net, it's actually not bad with how .Net's "using" statements work. The only time you really have to type out the full namespace hierarchy is when there is a naming conflict with another namespace you've pulled in with a "using" statement. It's a really nice feature if you make heavy use of the IDE, a lot of the VS IDE is sensitive to what namespaces you bring in with "using" statements.

Switch to EBCDIC.

    uncleanRandomString = uncleanRandomString.Replace(")", "m");

    uncleanRandomString = uncleanRandomString.Replace("_", "d");

    uncleanRandomString = uncleanRandomString.Replace("-", "5");

and he still didn't think of md5....

wibble factory:

Hmmmm:

Hmmmm:

Assuming what someone else said is true is never a good idea as it often isn't. The 2nd param is the minimum number of non-alphanumerics not the maximum or actual number.

FTFM

from http://msdn.microsoft.com/en-us/library/system.web.security.membership.generatepassword.aspx

public static string GeneratePassword(
int length,
int numberOfNonAlphanumericCharacters
)

...even though it's specified in the docs that it's the minimum number of the alpha chars (not the actual) it's totally lame that the second parameter is called 'numberOfNonAlphanumericCharacters' and not 'minimumNumberOfNonAlphanumericCharacters' (or some shorter equivalent)

I have only one word for this kind of WTF:

Microsoft

Coffee Hound:

Code Challenge:
The shortest legible password generator that considers the following:
- Alpha only, or alpha numeric, or alpha-num + symbols
- Miminum and maximum length can be specified
- Minimum/maximum length of any group (alpha, num etc.) can be specified.
- Sufficiently random

Bonus points:
- No dictionary words from lang of choice
- Uniformly distributed over possible set of characters
And....
GO

I think you can do that in 5 minutes with a perl lib .. they have libs for everything mad and language-y

// ...
// several lines of code to be decently paid
// ...
return "hunter2";

For those who didn't get it, here's how you would code this in a secure way:

protected String getRanString()
{
String uncleanRandomString = System.Web.Security.Membership.GeneratePassword(10, 0);
uncleanRandomString = uncleanRandomString.Replace("!", "a");
uncleanRandomString = uncleanRandomString.Replace("@", "2");
uncleanRandomString = uncleanRandomString.Replace("#", "c");
uncleanRandomString = uncleanRandomString.Replace("$", "4");
uncleanRandomString = uncleanRandomString.Replace("%", "3");
uncleanRandomString = uncleanRandomString.Replace("^", "i");
uncleanRandomString = uncleanRandomString.Replace("&", "a");
uncleanRandomString = uncleanRandomString.Replace("*", "9");
uncleanRandomString = uncleanRandomString.Replace("(", "g");
uncleanRandomString = uncleanRandomString.Replace(")", "s");
uncleanRandomString = uncleanRandomString.Replace("_", "h");
uncleanRandomString = uncleanRandomString.Replace("-", "a");
uncleanRandomString = uncleanRandomString.Replace("+", "2");
uncleanRandomString = uncleanRandomString.Replace("=", "q");
uncleanRandomString = uncleanRandomString.Replace("[", "w");
uncleanRandomString = uncleanRandomString.Replace("{", "t");
uncleanRandomString = uncleanRandomString.Replace("]", "r");
uncleanRandomString = uncleanRandomString.Replace("}", "f");
uncleanRandomString = uncleanRandomString.Replace(";", "8");
uncleanRandomString = uncleanRandomString.Replace(":", "z");
uncleanRandomString = uncleanRandomString.Replace("<", "x");
uncleanRandomString = uncleanRandomString.Replace(">", "0");
uncleanRandomString = uncleanRandomString.Replace("|", "v");
uncleanRandomString = uncleanRandomString.Replace(".", "b");
uncleanRandomString = uncleanRandomString.Replace("/", "y");
uncleanRandomString = uncleanRandomString.Replace("?", "t");
return uncleanRandomString;
}

Peter:

Sea Sharp, Waves Hurt:

Foo Bar:

Leper! Outcast! Unclean!

Thomas Covenant. Classy :).

God, no. Those were awful books.

You read more than one of them? Why?

It doesn't seem 'Too bad' to me.

The generated password only contains alphanumeric characters and the following punctuation marks: !@#$%^&*()_-+=[{]};:<>|./?. No hidden or non-printable control characters are included in the generated password

So System.Web.Security.Membership.GeneratePassword(10, 0); creates a random alpha-numeric string which includes the extra characters. But the programmer doesn't want any of those characters in password strings so they're performing a manual replace on each of the special characters.

Lefty:

Switch to EBCDIC.

Hooray!

Larry:

There are plenty of numbers between 'a' and 'z':

perl -e '$X="a";while ($X le "z"){print $X++;}'
abcdefghijklmnopqrstuvwxyz

Not a single 1 of those is a number.

All are the letters are numerals for base 36.

jmacpherson:

All are the letters are numerals for base 36.

Nobody in their right mind uses base36. A keyboard isn't used in a base36 context. It CAN be, but generally is not. So when we refer to the symbols on a keyboard, and put a requirement refering to numbers between 2 keys, and nobody has specified that we are using base36, then base 10 is assumed, and the symbols that are not arabic numbers are considered 'letters' and not 'numbers'. So no, nobody specified base36 before hand, so no, there are no numbers between 'a' and 'z' on a qwerty or dvorak keyboard.

You berated the programmer for not using md5, but he did!

uncleanRandomString = uncleanRandomString.Replace(")", "m");
uncleanRandomString = uncleanRandomString.Replace("_", "d");
uncleanRandomString = uncleanRandomString.Replace("-", "5");

Hmmmm:

RichP:

Why do I have the sneaking suspicion that he ran GeneratePassword and hand-selected the alphanumerics to use as the substitute in order to be "more randomer"?

Assuming what someone else said is true then most definitely not or he would have realised that no non-alphnumerics were getting generated anyway...

I'm going to assume he thought like other people that the second term would squash the non-alpha numeric characters. When it obvious didn't, he slapped in a fix and got on with his life. Since thee are no important effects outside the function itself, it's not very wtf.

Big WTF is something that causes difficult to explain side effects, or subtle failures far from the offense itself.

PiisAWheeL:

Larry:

There are plenty of numbers between 'a' and 'z':

perl -e '$X="a";while ($X le "z"){print $X++;}'
abcdefghijklmnopqrstuvwxyz

Not a single 1 of those is a number.

Hint: Ipsum Lorem, Pagina III.

"Apparently, this developer was too proud for base 64 encoding"

I don't get it. How would base64 encoding help with random strings?

With MD5 I could do MD5(RAND()) and get a reasonably random string of mostly numbers and couple letter (0-F). But how can one use Base 64 when generating a random string?

umm, because it won't work on mac?

Is there a formular for determing the decreased entropy?


like

cat /dev/absolutelyrandom | randomdetection
100%
(after some time)

cat /dev/absolutelyrandom | replacing_certain_strings_with_absolutelynon_random | randomfilter
30%

?

Dunno how the Laplace Distribution plays in there, but some symbols have 1:1 conversion and are a crib enabler.
Maybe one could build a functioning string (bash shebang?) out of the 1:1 fixed translation conversion symbols.

And yes, the use of cat might be a deadvisable one, but i like pipes.