[erlang-questions] Password generator in Erlang

Samuel <>
Fri Aug 17 09:04:34 CEST 2012


> Thank Serker.
>
> Moving andom:seed(A1, A2, A3) at start fix it.
>
> 1> passwd:test().
> Generate 10000 random password and check for collisions ...
> Number of collisions: 0

There are a number of problems with both implementations.

First, random:uniform is not cryptographically secure, which means is
somewhat predictable. As already mentioned use any other generator
meant to be secure as the one in crypto or the ssl library.

Even using a secure pseudrandom generator:

Your first implementation destroys the security, as you are creating a
seed for each random number an attacker just needs to guess the seed
sequence, not the pseudorandom sequence. In your case you had a side
effect of generating collisions, but that was not the worst problem.

The second implementation is more secure in that sense, but still the
original seed is guessable. An attacker can generate possible password
sequences by bruteforce just tying possible now tuples around the time
he thinks the real seed was created.

So, if you want to create passwords difficult to guess, you need at
least a cryptographically secure PRG, which will give you an
unpredictable sequence of bytes, and an unguessable seed, which will
give prevent any attacker from creating the same sequence of bytes
again an completely break all your passwords.

Best
-- 
Samuel



More information about the erlang-questions mailing list