Re: Noob dumb question (extending emacs)

[Emanuel Berg]

Yuri Khan wrote:

>> If you use Emacs' `random' to generate a password, an
>> attacker would need to have access to your system to
>> predict the result. He would at least have to know exactly
>> when you started your Emacs session (that time is used to
>> generate the seed). Or he would need much more
>> pseudo-random numbers from you.
>>
>> Without any of these, no chance to guess, because there are
>> too many possible pseudo-random numbers when you don't know
>> at which position in the sequence the generator started.
>
> The position in the sequence, aka the random seed, contains
> a certain number of bits. In Emacs, as far as I can tell,
> best case, the random seed is 48 bits. Which means, no
> matter how long a password you (the user) generate, it still
> contains only 48 bits of entropy.

#! /bin/zsh
$ echo $(( 2**48 ))
281474976710656

Or Elisp:
(expt 2 48)
281474976710656 (#o10000000000000000, #x1000000000000)

> It is *not* okay to offer a library for password generation
> using a weak generator to other people without explaining
> its entropy characteristics so that they could assess
> their risk.

But what is the method stipulated then, we'll just do
a `random-passwd' with that ...

-- 
underground experts united
https://dataswamp.org/~incal