This article has not yet been rated on Wikipedia's content assessment scale. |
What's the real main article for this page? Examples is a redirect page.
Also, these code fragments are very poor. They seed the random number generator based on the time of day, so if I know the server's time of day when the account was created, I know the password! -- Mikeblas 01:07, 3 February 2006 (UTC)
The paragraph about the problems with the C standard library random number generator is irrelevant. For generation of an ASCII password, as long as the possible range of outputs is larger than the number of acceptable ASCII characters - from decimal 33 to decimal 126 - the absolute size of the output is unimportant. The random number will be modded by 94 anyway.
The small number of possible outputs of the C standard library rand() function is indeed important - but only when the full range of numbers is used, such as in a cryptographic hash. It need not be mentioned here, and is in fact misleading and confusing when it is. What is significant is the potential size of the seed - since the generator is deterministic up to seed choice, an attacker who knew the algorithm for generating the password from a given random number could simply test the results of all possible seed values, if the maximum seed size is small. -- GFett ( talk) 18:43, 7 September 2008 (UTC)
Even if this section were to stay, the introduction seems very biased to me. And it seems very ambiguous: what is a "naive programmer"? Who decides who is one and who isn't? Could "unexperienced" substitute for "naive" here? To become philosophical: What is naive? Who decides...? etc. You catch my drift. -- MIB4u ( talk) 03:39, 6 October 2008 (UTC)
Thank you to all this article's authors. BTW is there a case for changing this article's title to Random Password Generator Software or Programming? - Cheers, John S Woler ( talk) 15:15, 27 March 2013 (UTC)
The subject of password generation and web sites was briefly touched upon. But it fails to mention some sites attempt to track users, or inventory the usage, allow the webpages to be cached, or use unsecure forms of scripting or third party tools...
Also, it seems that websites which only offer a secure connection and no login are rare. The following site is secure, non-tracking, etc, and gives pseudo-random passwords freely. Should it's URL be included in the "External links" section? https://www.grc.com/passwords.htm —Preceding unsigned comment added by 64.231.103.110 ( talk) 17:05, 10 September 2009 (UTC)
If I wanted to phish passwords, I'd simply set up a password generator site, store all generated passwords, and after some collecting ... try them at the Top 100 sites like Amazon, eBay, etc. Seriously: Generate your passwords yourself! Most passwords are not cracked, because they are too short, but because they are shared among sites, or easily collected like I described. — Preceding unsigned comment added by 79.197.66.117 ( talk) 12:38, 12 May 2013 (UTC)
Hey what is Non-alphanumerical in passwords§♦javascript:insertTags('%E2%99%A6',,) —Preceding unsigned comment added by 76.0.43.217 ( talk) 22:50, 3 March 2010 (UTC)
I noticed that the python code snippet that samples the OS entropy pool will never use the same character twice. I'm pretty sure this is bad as this reduces the search space for a brute force attack. By my calculation the search space is reduced from to or to . Not all that bad, but if you use this to make a large password (say 62 chars long which is the largest you can do with this snippet without breaking as there are only 62 unique chars available) then the difference starts to matter as it is ≈(allows duplicates) to ≈. I'll gladly contribute a new snippet as soon as a finish it. Smittycity42 ( talk) 10:44, 23 March 2011 (UTC)
As Promised:
#!/usr/bin/python import random, string myrg = random.SystemRandom() length = 100 alphabet = string.letters + string.digits pw = str().join(myrg.choice(alphabet) for _ in xrange(length)) print pw
If there are no objections in a few days I will go ahead and edit the page. Smittycity42 ( talk) 22:04, 27 March 2011 (UTC)
"In fact there is no need at all for a password to have been produced by a perfectly random process: it just needs to be sufficiently difficult to guess." [Comment preserved for discussion.]
a) Not true for all situations, and therefore it seems likely to mislead many readers. Who can say what constitutes "sufficiently difficult to guess," in which applications, and for how long, given the increasing sophistication of cracking tools? The truth of the argument is dependent on one's understanding and/or definition of "sufficiency." Humans are notoriously poor at estimating what others can't guess, and this includes many tools to simulate randomness. If one can determine the means of generation, one can reverse engineer it. I'm in favor of clarifying, amending or deleting that remark. (It's practical truth is outweighed by the number of possible false interpretations.)
b) There are numerous articles in wikipedia on "pseudorandom number generation" (I count four articles on the topic). Is there an argument for renaming this article "Pseudorandom password generation"? (i.e., is "computational true randomness" possible?) This article dangerously conflates mechanical (true) random generation with pseudo-random computational processes, often in the same paragraph. Some elucidatation seems useful, perhaps by adding a subheading or changing the name? Question certainty ( talk) 23:22, 23 February 2014 (UTC)
What does this do?
rand() creates a random number and the next random number follows on from this
srand(rand()); creates another random number, then sets the start the be the value it was going to start from anyway
so srand(rand()) is equivalent to rand() [citation needed]
87.102.44.18 (
talk)
14:35, 11 January 2016 (UTC)
This article has not yet been rated on Wikipedia's content assessment scale. |
What's the real main article for this page? Examples is a redirect page.
Also, these code fragments are very poor. They seed the random number generator based on the time of day, so if I know the server's time of day when the account was created, I know the password! -- Mikeblas 01:07, 3 February 2006 (UTC)
The paragraph about the problems with the C standard library random number generator is irrelevant. For generation of an ASCII password, as long as the possible range of outputs is larger than the number of acceptable ASCII characters - from decimal 33 to decimal 126 - the absolute size of the output is unimportant. The random number will be modded by 94 anyway.
The small number of possible outputs of the C standard library rand() function is indeed important - but only when the full range of numbers is used, such as in a cryptographic hash. It need not be mentioned here, and is in fact misleading and confusing when it is. What is significant is the potential size of the seed - since the generator is deterministic up to seed choice, an attacker who knew the algorithm for generating the password from a given random number could simply test the results of all possible seed values, if the maximum seed size is small. -- GFett ( talk) 18:43, 7 September 2008 (UTC)
Even if this section were to stay, the introduction seems very biased to me. And it seems very ambiguous: what is a "naive programmer"? Who decides who is one and who isn't? Could "unexperienced" substitute for "naive" here? To become philosophical: What is naive? Who decides...? etc. You catch my drift. -- MIB4u ( talk) 03:39, 6 October 2008 (UTC)
Thank you to all this article's authors. BTW is there a case for changing this article's title to Random Password Generator Software or Programming? - Cheers, John S Woler ( talk) 15:15, 27 March 2013 (UTC)
The subject of password generation and web sites was briefly touched upon. But it fails to mention some sites attempt to track users, or inventory the usage, allow the webpages to be cached, or use unsecure forms of scripting or third party tools...
Also, it seems that websites which only offer a secure connection and no login are rare. The following site is secure, non-tracking, etc, and gives pseudo-random passwords freely. Should it's URL be included in the "External links" section? https://www.grc.com/passwords.htm —Preceding unsigned comment added by 64.231.103.110 ( talk) 17:05, 10 September 2009 (UTC)
If I wanted to phish passwords, I'd simply set up a password generator site, store all generated passwords, and after some collecting ... try them at the Top 100 sites like Amazon, eBay, etc. Seriously: Generate your passwords yourself! Most passwords are not cracked, because they are too short, but because they are shared among sites, or easily collected like I described. — Preceding unsigned comment added by 79.197.66.117 ( talk) 12:38, 12 May 2013 (UTC)
Hey what is Non-alphanumerical in passwords§♦javascript:insertTags('%E2%99%A6',,) —Preceding unsigned comment added by 76.0.43.217 ( talk) 22:50, 3 March 2010 (UTC)
I noticed that the python code snippet that samples the OS entropy pool will never use the same character twice. I'm pretty sure this is bad as this reduces the search space for a brute force attack. By my calculation the search space is reduced from to or to . Not all that bad, but if you use this to make a large password (say 62 chars long which is the largest you can do with this snippet without breaking as there are only 62 unique chars available) then the difference starts to matter as it is ≈(allows duplicates) to ≈. I'll gladly contribute a new snippet as soon as a finish it. Smittycity42 ( talk) 10:44, 23 March 2011 (UTC)
As Promised:
#!/usr/bin/python import random, string myrg = random.SystemRandom() length = 100 alphabet = string.letters + string.digits pw = str().join(myrg.choice(alphabet) for _ in xrange(length)) print pw
If there are no objections in a few days I will go ahead and edit the page. Smittycity42 ( talk) 22:04, 27 March 2011 (UTC)
"In fact there is no need at all for a password to have been produced by a perfectly random process: it just needs to be sufficiently difficult to guess." [Comment preserved for discussion.]
a) Not true for all situations, and therefore it seems likely to mislead many readers. Who can say what constitutes "sufficiently difficult to guess," in which applications, and for how long, given the increasing sophistication of cracking tools? The truth of the argument is dependent on one's understanding and/or definition of "sufficiency." Humans are notoriously poor at estimating what others can't guess, and this includes many tools to simulate randomness. If one can determine the means of generation, one can reverse engineer it. I'm in favor of clarifying, amending or deleting that remark. (It's practical truth is outweighed by the number of possible false interpretations.)
b) There are numerous articles in wikipedia on "pseudorandom number generation" (I count four articles on the topic). Is there an argument for renaming this article "Pseudorandom password generation"? (i.e., is "computational true randomness" possible?) This article dangerously conflates mechanical (true) random generation with pseudo-random computational processes, often in the same paragraph. Some elucidatation seems useful, perhaps by adding a subheading or changing the name? Question certainty ( talk) 23:22, 23 February 2014 (UTC)
What does this do?
rand() creates a random number and the next random number follows on from this
srand(rand()); creates another random number, then sets the start the be the value it was going to start from anyway
so srand(rand()) is equivalent to rand() [citation needed]
87.102.44.18 (
talk)
14:35, 11 January 2016 (UTC)