Comment On Securely Random Strings

"Working through a pretty ugly project, I came across this C# beauty," Matt B writes, "at first, I was unsure of what it did. I was utterly perplexed until I took a second look at the function name. " [expand full text]
« PrevPage 1 | Page 2Next »

Re: Securely Random Strings

2012-04-12 16:26 • by Zunetang (unregistered)
379056 in reply to 379050
Jay:
the beholder:
vahokif:
Just make a char[] and fill it with random numbers between 'a' and 'z', return it with the string constructor.
I can't find any numbers between 'a' and 'z'. Now what?


I see i, v, x, l, c, d, and m.

You're not limiting yourself to those new-fangled Hindu-Arabic numerals, are you? They're just a passing fad.
You're just a pissing fag! You fu...

Oh, wait... My apologies.

Re: Securely Random Strings

2012-04-12 16:32 • by Peter (unregistered)
379057 in reply to 379044
Sea Sharp, Waves Hurt:
Foo Bar:
Leper! Outcast! Unclean!
Thomas Covenant. Classy :).
God, no. Those were awful books.

Re: Securely Random Strings

2012-04-12 16:45 • by gloin (unregistered)
This is bound to lead to Ovaltine.

Irish girl spotted

2012-04-12 18:20 • by Irish girl spotted (unregistered)
http://images.smh.com.au/2012/04/12/3211657/hacker-353-200x0.jpg

Turns out she was Australian after all and likes nerds!

Re: Securely Random Strings

2012-04-12 19:12 • by lumberjack (unregistered)
379061 in reply to 378999
Foo Bar:
Leper! Outcast! Unclean!

However, as a WTF this one really isn't so awful. GeneratePassword uses decent randomness, and stripping out non-alphas is OK for a URL.


The real WTF is the Thomas Covenant reference.

Re: Securely Random Strings

2012-04-12 19:51 • by aw (unregistered)
379064 in reply to 379030
wibble factory:
Hmmmm:
Hmmmm:
Assuming what someone else said is true is never a good idea as it often isn't. The 2nd param is the minimum number of non-alphanumerics not the maximum or actual number.

FTFM


from http://msdn.microsoft.com/en-us/library/system.web.security.membership.generatepassword.aspx

public static string GeneratePassword(
int length,
int numberOfNonAlphanumericCharacters
)

...even though it's specified in the docs that it's the minimum number of the alpha chars (not the actual) it's totally lame that the second parameter is called 'numberOfNonAlphanumericCharacters' and not 'minimumNumberOfNonAlphanumericCharacters' (or some shorter equivalent)

minNumNonAlphanumChars

Captcha: commoveo - as we get bald we start to use hairstyles called commeoveos

Re: Securely Random Strings

2012-04-12 19:53 • by Dirk (unregistered)
Unclean! Unclean!

Re: Securely Random Strings

2012-04-12 19:59 • by aw (unregistered)
379066 in reply to 379038
Coffee Hound:
Code Challenge:
The shortest legible password generator that considers the following:
- Alpha only, or alpha numeric, or alpha-num + symbols
- Miminum and maximum length can be specified
- Minimum/maximum length of any group (alpha, num etc.) can be specified.
- Sufficiently random

Bonus points:
- No dictionary words from lang of choice
- Uniformly distributed over possible set of characters
And....
GO

I'll get you started....


string passwordGenerator(int type)
switch(type)
{
case alpha:
cout << "Please enter a password containing letters only, that does not contain real words from the dictionary" << endl;
cin >> password;
return password;
case alphanum:
cout << "Please enter a password containing letters and numbers only, that does not contain real words from the dictionary" << endl;
cin >> password;
return password;
case alpahnumsym:
cout << "Please enter a password containing letters numbers and symbold, that does not contain real words from the dictionary" << endl;
cin >> password;
return password;
default:
/* Updated 12/4 for security */
return "admin01"; //"qwe123"; //"blink182"
}
}

Re: Securely Random Strings

2012-04-12 20:01 • by e54yadsrhxfb (unregistered)
379067 in reply to 379050
Jay:
the beholder:
vahokif:
Just make a char[] and fill it with random numbers between 'a' and 'z', return it with the string constructor.
I can't find any numbers between 'a' and 'z'. Now what?


I see i, v, x, l, c, d, and m.

You're not limiting yourself to those new-fangled Hindu-Arabic numerals, are you? They're just a passing fad.
bcdef too for the heaxadecimally inclined

Re: Securely Random Strings

2012-04-12 20:31 • by Odin (unregistered)
379069 in reply to 379015
Anon:
public static string GeneratePassword (int length, int numberOfNonAlphanumericCharacters)

protected String getRanString()
{
return GeneratePassword(10,0);
}

The remaining code is useless because the 2nd argument asks for zero punctuation characters.


It asks for Yahtzee?

Re: Securely Random Strings

2012-04-12 21:46 • by Cheong (unregistered)
379073 in reply to 379002
the beholder:
vahokif:
Just make a char[] and fill it with random numbers between 'a' and 'z', return it with the string constructor.
I can't find any numbers between 'a' and 'z'. Now what?

Use " and" as your password then.

Re: Securely Random Strings

2012-04-12 23:56 • by default_ex (unregistered)
379074 in reply to 379032
Mason Wheeler:
"System.Web.Security.Membership.GeneratePassword"? Ugh. You think they could cram a few more levels of hierarchical namespacing into that if they tried? Just in case 5 isn't ugly enough for someone out there?


If you've never used .Net, it's actually not bad with how .Net's "using" statements work. The only time you really have to type out the full namespace hierarchy is when there is a naming conflict with another namespace you've pulled in with a "using" statement. It's a really nice feature if you make heavy use of the IDE, a lot of the VS IDE is sensitive to what namespaces you bring in with "using" statements.

Re: Securely Random Strings

2012-04-13 00:23 • by Lefty (unregistered)
379075 in reply to 379002
Switch to EBCDIC.

Re: Securely Random Strings

2012-04-13 02:04 • by Weps

uncleanRandomString = uncleanRandomString.Replace(")", "m");
uncleanRandomString = uncleanRandomString.Replace("_", "d");
uncleanRandomString = uncleanRandomString.Replace("-", "5");


and he still didn't think of md5....

Re: Securely Random Strings

2012-04-13 02:06 • by L. (unregistered)
379077 in reply to 379030
wibble factory:
Hmmmm:
Hmmmm:
Assuming what someone else said is true is never a good idea as it often isn't. The 2nd param is the minimum number of non-alphanumerics not the maximum or actual number.

FTFM


from http://msdn.microsoft.com/en-us/library/system.web.security.membership.generatepassword.aspx

public static string GeneratePassword(
int length,
int numberOfNonAlphanumericCharacters
)

...even though it's specified in the docs that it's the minimum number of the alpha chars (not the actual) it's totally lame that the second parameter is called 'numberOfNonAlphanumericCharacters' and not 'minimumNumberOfNonAlphanumericCharacters' (or some shorter equivalent)

I have only one word for this kind of WTF:

Microsoft

Re: Securely Random Strings

2012-04-13 02:17 • by L. (unregistered)
379078 in reply to 379038
Coffee Hound:
Code Challenge:
The shortest legible password generator that considers the following:
- Alpha only, or alpha numeric, or alpha-num + symbols
- Miminum and maximum length can be specified
- Minimum/maximum length of any group (alpha, num etc.) can be specified.
- Sufficiently random

Bonus points:
- No dictionary words from lang of choice
- Uniformly distributed over possible set of characters
And....
GO


I think you can do that in 5 minutes with a perl lib .. they have libs for everything mad and language-y

Re: Securely Random Strings

2012-04-13 02:40 • by +9 (unregistered)
// ...
// several lines of code to be decently paid
// ...
return "hunter2";

Re: Securely Random Strings

2012-04-13 02:59 • by Mathew (unregistered)
For those who didn't get it, here's how you would code this in a secure way:

protected String getRanString()
{
String uncleanRandomString = System.Web.Security.Membership.GeneratePassword(10, 0);
uncleanRandomString = uncleanRandomString.Replace("!", "a");
uncleanRandomString = uncleanRandomString.Replace("@", "2");
uncleanRandomString = uncleanRandomString.Replace("#", "c");
uncleanRandomString = uncleanRandomString.Replace("$", "4");
uncleanRandomString = uncleanRandomString.Replace("%", "3");
uncleanRandomString = uncleanRandomString.Replace("^", "i");
uncleanRandomString = uncleanRandomString.Replace("&", "a");
uncleanRandomString = uncleanRandomString.Replace("*", "9");
uncleanRandomString = uncleanRandomString.Replace("(", "g");
uncleanRandomString = uncleanRandomString.Replace(")", "s");
uncleanRandomString = uncleanRandomString.Replace("_", "h");
uncleanRandomString = uncleanRandomString.Replace("-", "a");
uncleanRandomString = uncleanRandomString.Replace("+", "2");
uncleanRandomString = uncleanRandomString.Replace("=", "q");
uncleanRandomString = uncleanRandomString.Replace("[", "w");
uncleanRandomString = uncleanRandomString.Replace("{", "t");
uncleanRandomString = uncleanRandomString.Replace("]", "r");
uncleanRandomString = uncleanRandomString.Replace("}", "f");
uncleanRandomString = uncleanRandomString.Replace(";", "8");
uncleanRandomString = uncleanRandomString.Replace(":", "z");
uncleanRandomString = uncleanRandomString.Replace("<", "x");
uncleanRandomString = uncleanRandomString.Replace(">", "0");
uncleanRandomString = uncleanRandomString.Replace("|", "v");
uncleanRandomString = uncleanRandomString.Replace(".", "b");
uncleanRandomString = uncleanRandomString.Replace("/", "y");
uncleanRandomString = uncleanRandomString.Replace("?", "t");
return uncleanRandomString;
}

Re: Securely Random Strings

2012-04-13 08:22 • by PedanticCurmudgeon
379087 in reply to 379057
Peter:
Sea Sharp, Waves Hurt:
Foo Bar:
Leper! Outcast! Unclean!
Thomas Covenant. Classy :).
God, no. Those were awful books.
You read more than one of them? Why?

Re: Securely Random Strings

2012-04-13 09:21 • by Claxon
It doesn't seem 'Too bad' to me.


The generated password only contains alphanumeric characters and the following punctuation marks: !@#$%^&*()_-+=[{]};:<>|./?. No hidden or non-printable control characters are included in the generated password


So System.Web.Security.Membership.GeneratePassword(10, 0); creates a random alpha-numeric string which includes the extra characters. But the programmer doesn't want any of those characters in password strings so they're performing a manual replace on each of the special characters.

Re: Securely Random Strings

2012-04-13 09:52 • by Mainframe Web Dev (unregistered)
379100 in reply to 379075
Lefty:
Switch to EBCDIC.


Hooray!

Re: Securely Random Strings

2012-04-13 10:02 • by PiisAWheeL
379103 in reply to 379043
Larry:
There are plenty of numbers between 'a' and 'z':

perl -e '$X="a";while ($X le "z"){print $X++;}'
abcdefghijklmnopqrstuvwxyz
Not a single 1 of those is a number.

Re: Securely Random Strings

2012-04-13 10:08 • by jmacpherson (unregistered)
379106 in reply to 379067
All are the letters are numerals for base 36.

Re: Securely Random Strings

2012-04-13 12:55 • by PiisAWheeL
379128 in reply to 379106
jmacpherson:
All are the letters are numerals for base 36.
Nobody in their right mind uses base36. A keyboard isn't used in a base36 context. It CAN be, but generally is not. So when we refer to the symbols on a keyboard, and put a requirement refering to numbers between 2 keys, and nobody has specified that we are using base36, then base 10 is assumed, and the symbols that are not arabic numbers are considered 'letters' and not 'numbers'. So no, nobody specified base36 before hand, so no, there are no numbers between 'a' and 'z' on a qwerty or dvorak keyboard.

Re: Securely Random Strings

2012-04-13 14:24 • by Squiggler (unregistered)
You berated the programmer for not using md5, but he did!

uncleanRandomString = uncleanRandomString.Replace(")", "m");
uncleanRandomString = uncleanRandomString.Replace("_", "d");
uncleanRandomString = uncleanRandomString.Replace("-", "5");

Re: Securely Random Strings

2012-04-15 00:23 • by Gibbon1 (unregistered)
379155 in reply to 379025
Hmmmm:
RichP:
Why do I have the sneaking suspicion that he ran GeneratePassword and hand-selected the alphanumerics to use as the substitute in order to be "more randomer"?

Assuming what someone else said is true then most definitely not or he would have realised that no non-alphnumerics were getting generated anyway...


I'm going to assume he thought like other people that the second term would squash the non-alpha numeric characters. When it obvious didn't, he slapped in a fix and got on with his life. Since thee are no important effects outside the function itself, it's not very wtf.

Big WTF is something that causes difficult to explain side effects, or subtle failures far from the offense itself.

Re: Securely Random Strings

2012-04-16 05:02 • by I see what you did, there (unregistered)
379166 in reply to 379103
PiisAWheeL:
Larry:
There are plenty of numbers between 'a' and 'z':

perl -e '$X="a";while ($X le "z"){print $X++;}'
abcdefghijklmnopqrstuvwxyz
Not a single 1 of those is a number.


Hint: Ipsum Lorem, Pagina III.

Re: Securely Random Strings

2012-04-17 06:20 • by Shinhan7
"Apparently, this developer was too proud for base 64 encoding"

I don't get it. How would base64 encoding help with random strings?

With MD5 I could do MD5(RAND()) and get a reasonably random string of mostly numbers and couple letter (0-F). But how can one use Base 64 when generating a random string?

Re: Securely Random Strings

2012-04-17 07:32 • by eXlit (unregistered)
379317 in reply to 379006
umm, because it won't work on mac?

Re: Securely Random Strings

2012-04-23 09:20 • by visualbasucks (unregistered)
Is there a formular for determing the decreased entropy?


like

cat /dev/absolutelyrandom | randomdetection
100%
(after some time)

cat /dev/absolutelyrandom | replacing_certain_strings_with_absolutelynon_random | randomfilter
30%

?

Dunno how the Laplace Distribution plays in there, but some symbols have 1:1 conversion and are a crib enabler.
Maybe one could build a functioning string (bash shebang?) out of the 1:1 fixed translation conversion symbols.

And yes, the use of cat might be a deadvisable one, but i like pipes.
« PrevPage 1 | Page 2Next »

Add Comment