Am 27.03.2014 11:27, schrieb Joseph Tam: > > Reindl Harald <h.rei...@thelounge.net> writes: > >> frankly 8 chars is laughable, i recently wrote a PHP library to >> generate secure random passwords and for 100000 passwords get >> 13 collisions is way to much given that that means you have >> a collision every 8000 tries which means not you need 8000 >> in a real world attack > > (Off-topic) > > Not that I disagree with the conclusion that 8 character passwords are > weak by todays standards, but there seems to be something wrong with > your generator (weak PRNG? limited character set?). 13 collisions in > 10^5 passwords is terrible, even by 1980 Unix standards
* Intel IvyBridge with rngd * haveged -w 3072 -v 1 * SURELY a limited character set because mail-clients don't handle any char $internal_random = openssl_random_pseudo_bytes(15) . microtime() . serialize($_SERVER) . serialize($_REQUEST) . serialize($_ENV) . uniqid('', true) . openssl_random_pseudo_bytes(15) * that is not the problem and a lot of high random crap * but you can't use that for passwords * after hash_pbkdf2('sha256', $internal_random, mcrypt_create_iv(16, MCRYPT_DEV_URANDOM), 20, $length) you are limited to low chars and number, so you need to randomly uppercase some chars and randomly insert acceptable special chars like array('_','#','*','-','&','!','?','.',',','=')
signature.asc
Description: OpenPGP digital signature