[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Noob dumb question (extending emacs)
From: |
Yuri Khan |
Subject: |
Re: Noob dumb question (extending emacs) |
Date: |
Sat, 23 Oct 2021 17:16:23 +0700 |
On Sat, 23 Oct 2021 at 15:41, Michael Heerdegen
<michael_heerdegen@web.de> wrote:
> > Spoiler: secure password generation is not one of those purposes.
>
> If you use Emacs' `random' to generate a password, an attacker would
> need to have access to your system to predict the result. He would at
> least have to know exactly when you started your Emacs session (that
> time is used to generate the seed). Or he would need much more
> pseudo-random numbers from you.
>
> Without any of these, no chance to guess, because there are too many
> possible pseudo-random numbers when you don't know at which position in
> the sequence the generator started.
The position in the sequence, aka the random seed, contains a certain
number of bits. In Emacs, as far as I can tell, best case, the random
seed is 48 bits. Which means, no matter how long a password you (the
user) generate, it still contains only 48 bits of entropy. Whereas
with ‘pwgen’ you get more entropy as you generate a longer password.
An attacker might have access to one or more passwords you generate
before and/or after the password the attacker is interested in, e.g.
by being one of the entities you have an account with, or by
possessing a leaked database of user information from a compromised
service.
(It is also customary, when discussing security, to assume the
attacker knows exactly the algorithms you use.)
It is okay to generate your own passwords using a weak generator if
you are aware of that and deem the risk insignificant.
It is okay to offer a library for password generation using a weak
generator to other people, as long as they are aware and deem the risk
insignificant.
It is *not* okay to offer a library for password generation using a
weak generator to other people without explaining its entropy
characteristics so that they could assess their risk.
- Re: Noob dumb question (extending emacs), (continued)
- Re: Noob dumb question (extending emacs), Emanuel Berg, 2021/10/25
- About randomity, entropy, random passwords - was Re: Noob dumb question (extending emacs), Jean Louis, 2021/10/25
- Re: About randomity, entropy, random passwords - was Re: Noob dumb question (extending emacs), Emanuel Berg, 2021/10/25
- Re: Noob dumb question (extending emacs), Jean Louis, 2021/10/25
- Re: Noob dumb question (extending emacs), Yuri Khan, 2021/10/25
- Re: Noob dumb question (extending emacs), Emanuel Berg, 2021/10/25
- Re: Noob dumb question (extending emacs), Jean Louis, 2021/10/25
- About randomity, entropy, random passwords - was Re: Noob dumb question (extending emacs), Jean Louis, 2021/10/25
- Re: Noob dumb question (extending emacs), Emanuel Berg, 2021/10/28
- Re: Noob dumb question (extending emacs), Michael Heerdegen, 2021/10/23
- Re: Noob dumb question (extending emacs),
Yuri Khan <=
- Re: Noob dumb question (extending emacs), Michael Heerdegen, 2021/10/23
- Re: Noob dumb question (extending emacs), Emanuel Berg, 2021/10/23
- Re: Noob dumb question (extending emacs), Michael Heerdegen, 2021/10/24
- Re: Noob dumb question (extending emacs), Emanuel Berg, 2021/10/27
- Re: Noob dumb question (extending emacs), Michael Heerdegen, 2021/10/28
- Re: Noob dumb question (extending emacs), tomas, 2021/10/28
- Re: Noob dumb question (extending emacs), Emanuel Berg, 2021/10/28
- Re: Noob dumb question (extending emacs), Emanuel Berg, 2021/10/28
- Re: Noob dumb question (extending emacs), Michael Heerdegen, 2021/10/31
- Re: Noob dumb question (extending emacs), Emanuel Berg, 2021/10/31