6/26/2023 0 Comments Generated passwordsThey're well published, since high quality pseudo-randomness is a valuable thing for everyone. The algorithm is easier to find out than the actual random bytes used to seed the algorithm. Of course, if those two bytes and the algorithm used to generate passwords are known to the attacker the actual password can be derived. In this way a password generator using 2 bytes of entropy from /dev/random (not /dev/urandom) can produce a 40-character password of high apparent randomness. A deterministic machine using a random input can produce output containing zero to the amount of entropy it got as input, but not introduce any new entropy. Not must be.Īs for your second point, about a deterministic machine's inability to produce random output. To whit, good passwords can be completely random. When you have very large length (512 characters!) the password can include significantly less entropy for the same attack resistance. When you can't use length (that 8 character limit again) you're stuck with high entropy. Therefore a good password has high entropy AND length. (I had a blog post about this a while back that goes into more detail about this issue in the context of cross-platform password policies. The second would be an insane password for Solaris since it would be truncated after the 8th character, where the first would be lamentable on Windows if that password hash ever got discovered (sniffed in flight, sucked down from a domain controller, that kind of thing) thanks to Rainbow Tables. The second has laughable entropy out to 16 characters, but passable entropy after that. The first has very high entropy out to eight characters. It has also divided what counts as a good password.Ī good password on Windows: 0123456789abcefBubba2pAantz The (welcome) death of the 8-character limit on passwords has opened up a whole new universe of good password possibilities.
0 Comments
Leave a Reply. |