• Zunetang (unregistered) in reply to Jay
    Jay:
    the beholder:
    vahokif:
    Just make a char[] and fill it with random numbers between 'a' and 'z', return it with the string constructor.
    I can't find any numbers between 'a' and 'z'. Now what?

    I see i, v, x, l, c, d, and m.

    You're not limiting yourself to those new-fangled Hindu-Arabic numerals, are you? They're just a passing fad.

    You're just a pissing fag! You fu...

    Oh, wait... My apologies.

  • Peter (unregistered) in reply to Sea Sharp, Waves Hurt
    Sea Sharp:
    Foo Bar:
    Leper! Outcast! Unclean!
    Thomas Covenant. Classy :).
    God, no. Those were awful books.
  • gloin (unregistered)

    This is bound to lead to Ovaltine.

  • Irish girl spotted (unregistered)

    http://images.smh.com.au/2012/04/12/3211657/hacker-353-200x0.jpg

    Turns out she was Australian after all and likes nerds!

  • lumberjack (unregistered) in reply to Foo Bar
    Foo Bar:
    Leper! Outcast! Unclean!

    However, as a WTF this one really isn't so awful. GeneratePassword uses decent randomness, and stripping out non-alphas is OK for a URL.

    The real WTF is the Thomas Covenant reference.

  • aw (unregistered) in reply to wibble factory
    wibble factory:
    Hmmmm:
    Hmmmm:
    Assuming what someone else said is true is never a good idea as it often isn't. The 2nd param is the minimum number of non-alphanumerics not the maximum or actual number.
    FTFM

    from http://msdn.microsoft.com/en-us/library/system.web.security.membership.generatepassword.aspx

    public static string GeneratePassword( int length, int numberOfNonAlphanumericCharacters )

    ...even though it's specified in the docs that it's the minimum number of the alpha chars (not the actual) it's totally lame that the second parameter is called 'numberOfNonAlphanumericCharacters' and not 'minimumNumberOfNonAlphanumericCharacters' (or some shorter equivalent)

    minNumNonAlphanumChars

    Captcha: commoveo - as we get bald we start to use hairstyles called commeoveos

  • Dirk (unregistered)

    Unclean! Unclean!

  • aw (unregistered) in reply to Coffee Hound
    Coffee Hound:
    Code Challenge: The shortest legible password generator that considers the following: - Alpha only, or alpha numeric, or alpha-num + symbols - Miminum and maximum length can be specified - Minimum/maximum length of any group (alpha, num etc.) can be specified. - Sufficiently random

    Bonus points:

    • No dictionary words from lang of choice
    • Uniformly distributed over possible set of characters And.... GO
    I'll get you started....
    string passwordGenerator(int type)
      switch(type)
      {  
        case alpha:
          cout << "Please enter a password containing letters only, that does not contain real words from the dictionary" << endl;
          cin >> password;
          return password;
        case alphanum:
          cout << "Please enter a password containing letters and numbers only, that does not contain real words from the dictionary" << endl;
          cin >> password;
          return password;
        case alpahnumsym:
                cout << "Please enter a password containing letters numbers and symbold, that does not contain real words from the dictionary" << endl;
          cin >> password;
          return password;
        default:
          /* Updated 12/4 for security */
          return "admin01"; //"qwe123"; //"blink182"
      }
    }
    
  • e54yadsrhxfb (unregistered) in reply to Jay
    Jay:
    the beholder:
    vahokif:
    Just make a char[] and fill it with random numbers between 'a' and 'z', return it with the string constructor.
    I can't find any numbers between 'a' and 'z'. Now what?

    I see i, v, x, l, c, d, and m.

    You're not limiting yourself to those new-fangled Hindu-Arabic numerals, are you? They're just a passing fad.

    bcdef too for the heaxadecimally inclined

  • Odin (unregistered) in reply to Anon
    Anon:
    public static string GeneratePassword (int length, int numberOfNonAlphanumericCharacters)

    protected String getRanString() { return GeneratePassword(10,0); }

    The remaining code is useless because the 2nd argument asks for zero punctuation characters.

    It asks for Yahtzee?

  • Cheong (unregistered) in reply to the beholder
    the beholder:
    vahokif:
    Just make a char[] and fill it with random numbers between 'a' and 'z', return it with the string constructor.
    I can't find any numbers between 'a' and 'z'. Now what?
    Use " and" as your password then.
  • default_ex (unregistered) in reply to Mason Wheeler
    Mason Wheeler:
    "System.Web.Security.Membership.GeneratePassword"? Ugh. You think they could cram a few more levels of hierarchical namespacing into that if they tried? Just in case 5 isn't ugly enough for someone out there?

    If you've never used .Net, it's actually not bad with how .Net's "using" statements work. The only time you really have to type out the full namespace hierarchy is when there is a naming conflict with another namespace you've pulled in with a "using" statement. It's a really nice feature if you make heavy use of the IDE, a lot of the VS IDE is sensitive to what namespaces you bring in with "using" statements.

  • Lefty (unregistered) in reply to the beholder

    Switch to EBCDIC.

  • (cs)
        uncleanRandomString = uncleanRandomString.Replace(")", "m");
        uncleanRandomString = uncleanRandomString.Replace("_", "d");
        uncleanRandomString = uncleanRandomString.Replace("-", "5");
    

    and he still didn't think of md5....

  • L. (unregistered) in reply to wibble factory
    wibble factory:
    Hmmmm:
    Hmmmm:
    Assuming what someone else said is true is never a good idea as it often isn't. The 2nd param is the minimum number of non-alphanumerics not the maximum or actual number.
    FTFM

    from http://msdn.microsoft.com/en-us/library/system.web.security.membership.generatepassword.aspx

    public static string GeneratePassword( int length, int numberOfNonAlphanumericCharacters )

    ...even though it's specified in the docs that it's the minimum number of the alpha chars (not the actual) it's totally lame that the second parameter is called 'numberOfNonAlphanumericCharacters' and not 'minimumNumberOfNonAlphanumericCharacters' (or some shorter equivalent)

    I have only one word for this kind of WTF:

    Microsoft

  • L. (unregistered) in reply to Coffee Hound
    Coffee Hound:
    Code Challenge: The shortest legible password generator that considers the following: - Alpha only, or alpha numeric, or alpha-num + symbols - Miminum and maximum length can be specified - Minimum/maximum length of any group (alpha, num etc.) can be specified. - Sufficiently random

    Bonus points:

    • No dictionary words from lang of choice
    • Uniformly distributed over possible set of characters And.... GO

    I think you can do that in 5 minutes with a perl lib .. they have libs for everything mad and language-y

  • +9 (unregistered)

    // ... // several lines of code to be decently paid // ... return "hunter2";

  • Mathew (unregistered)

    For those who didn't get it, here's how you would code this in a secure way:

    protected String getRanString() { String uncleanRandomString = System.Web.Security.Membership.GeneratePassword(10, 0); uncleanRandomString = uncleanRandomString.Replace("!", "a"); uncleanRandomString = uncleanRandomString.Replace("@", "2"); uncleanRandomString = uncleanRandomString.Replace("#", "c"); uncleanRandomString = uncleanRandomString.Replace("$", "4"); uncleanRandomString = uncleanRandomString.Replace("%", "3"); uncleanRandomString = uncleanRandomString.Replace("^", "i"); uncleanRandomString = uncleanRandomString.Replace("&", "a"); uncleanRandomString = uncleanRandomString.Replace("*", "9"); uncleanRandomString = uncleanRandomString.Replace("(", "g"); uncleanRandomString = uncleanRandomString.Replace(")", "s"); uncleanRandomString = uncleanRandomString.Replace("_", "h"); uncleanRandomString = uncleanRandomString.Replace("-", "a"); uncleanRandomString = uncleanRandomString.Replace("+", "2"); uncleanRandomString = uncleanRandomString.Replace("=", "q"); uncleanRandomString = uncleanRandomString.Replace("[", "w"); uncleanRandomString = uncleanRandomString.Replace("{", "t"); uncleanRandomString = uncleanRandomString.Replace("]", "r"); uncleanRandomString = uncleanRandomString.Replace("}", "f"); uncleanRandomString = uncleanRandomString.Replace(";", "8"); uncleanRandomString = uncleanRandomString.Replace(":", "z"); uncleanRandomString = uncleanRandomString.Replace("<", "x"); uncleanRandomString = uncleanRandomString.Replace(">", "0"); uncleanRandomString = uncleanRandomString.Replace("|", "v"); uncleanRandomString = uncleanRandomString.Replace(".", "b"); uncleanRandomString = uncleanRandomString.Replace("/", "y"); uncleanRandomString = uncleanRandomString.Replace("?", "t"); return uncleanRandomString; }

  • (cs) in reply to Peter
    Peter:
    Sea Sharp:
    Foo Bar:
    Leper! Outcast! Unclean!
    Thomas Covenant. Classy :).
    God, no. Those were awful books.
    You read more than one of them? Why?
  • (cs)

    It doesn't seem 'Too bad' to me.

    The generated password only contains alphanumeric characters and the following punctuation marks: !@#$%^&*()_-+=[{]};:<>|./?. No hidden or non-printable control characters are included in the generated password

    So System.Web.Security.Membership.GeneratePassword(10, 0); creates a random alpha-numeric string which includes the extra characters. But the programmer doesn't want any of those characters in password strings so they're performing a manual replace on each of the special characters.

  • Mainframe Web Dev (unregistered) in reply to Lefty
    Lefty:
    Switch to EBCDIC.

    Hooray!

  • (cs) in reply to Larry
    Larry:
    There are plenty of numbers between 'a' and 'z':

    perl -e '$X="a";while ($X le "z"){print $X++;}' abcdefghijklmnopqrstuvwxyz

    Not a single 1 of those is a number.

  • jmacpherson (unregistered) in reply to e54yadsrhxfb

    All are the letters are numerals for base 36.

  • (cs) in reply to jmacpherson
    jmacpherson:
    All are the letters are numerals for base 36.
    Nobody in their right mind uses base36. A keyboard isn't used in a base36 context. It CAN be, but generally is not. So when we refer to the symbols on a keyboard, and put a requirement refering to numbers between 2 keys, and nobody has specified that we are using base36, then base 10 is assumed, and the symbols that are not arabic numbers are considered 'letters' and not 'numbers'. So no, nobody specified base36 before hand, so no, there are no numbers between 'a' and 'z' on a qwerty or dvorak keyboard.
  • Squiggler (unregistered)

    You berated the programmer for not using md5, but he did!

    uncleanRandomString = uncleanRandomString.Replace(")", "m"); uncleanRandomString = uncleanRandomString.Replace("_", "d"); uncleanRandomString = uncleanRandomString.Replace("-", "5");

  • Gibbon1 (unregistered) in reply to Hmmmm
    Hmmmm:
    RichP:
    Why do I have the sneaking suspicion that he ran GeneratePassword and hand-selected the alphanumerics to use as the substitute in order to be "more randomer"?
    Assuming what someone else said is true then most definitely not or he would have realised that no non-alphnumerics were getting generated anyway...

    I'm going to assume he thought like other people that the second term would squash the non-alpha numeric characters. When it obvious didn't, he slapped in a fix and got on with his life. Since thee are no important effects outside the function itself, it's not very wtf.

    Big WTF is something that causes difficult to explain side effects, or subtle failures far from the offense itself.

  • I see what you did, there (unregistered) in reply to PiisAWheeL
    PiisAWheeL:
    Larry:
    There are plenty of numbers between 'a' and 'z':

    perl -e '$X="a";while ($X le "z"){print $X++;}' abcdefghijklmnopqrstuvwxyz

    Not a single 1 of those is a number.

    Hint: Ipsum Lorem, Pagina III.

  • (cs)

    "Apparently, this developer was too proud for base 64 encoding"

    I don't get it. How would base64 encoding help with random strings?

    With MD5 I could do MD5(RAND()) and get a reasonably random string of mostly numbers and couple letter (0-F). But how can one use Base 64 when generating a random string?

  • eXlit (unregistered) in reply to Smug Unix User

    umm, because it won't work on mac?

  • visualbasucks (unregistered)

    Is there a formular for determing the decreased entropy?

    like

    cat /dev/absolutelyrandom | randomdetection 100% (after some time)

    cat /dev/absolutelyrandom | replacing_certain_strings_with_absolutelynon_random | randomfilter 30%

    ?

    Dunno how the Laplace Distribution plays in there, but some symbols have 1:1 conversion and are a crib enabler. Maybe one could build a functioning string (bash shebang?) out of the 1:1 fixed translation conversion symbols.

    And yes, the use of cat might be a deadvisable one, but i like pipes.

  • Geek (unregistered) in reply to wonk

    He's a complex fellow.

Leave a comment on “Securely Random Strings”

Log In or post as a guest

Replying to comment #:

« Return to Article