So, I just read the article you mentioned, and I have to tell you, I think he’s (or she’s) incorrect.
GetBytes() returns random bytes. That’s 0-255 taking up 8 bits. Ln2(8) = 3. Fifteen characters at 3 bits of entropy each will give you 45 bits of entropy. But then you convert it to Base64. Base64 is limited to 6 bits of information ( [System.Math]::Pow(2, 6) = 64 ). That is by definition where the name of the algorithm comes from! Ln2(6) = 2.58. Significant reduction. He/she also conflates the fact that while a representation of Base64 is generally longer (although not always for small amounts of text) the entropy is controlled by the character set, not the representation. If I remember correctly, the number of printable ASCII characters is actually only 96. Ln2(7) ~= 2.81. But the number is effectively less than that, because 32 of those characters are not used. So Ln2(6.5) ~= 2.70. So the maximum entropy you can obtain with a 15 character password is ~40.5 – assuming that the password is completely random and the available character set allows all 96 characters available. That’s almost 50 years to brute force. But the password will almost certainly be gibberish. Note: There are assumptions in this calculation: [1] I’m assuming online cracking attempts, not on-premises. On-premises cracking attempts can be much much faster, on the order of 50 million attempts a second; [2] Yes, Windows will allow you to enter in non-printable characters for passwords – but very few websites (if any?) will allow this. In fact, most websites have far more strict password guidelines than “15 maximum characters of charset-96”. From: [email protected] [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Wednesday, February 3, 2016 10:36 PM To: [email protected] Subject: RE: [powershell] Random Password Generator The maximum entropy you get from Base64 is 2.58 bits per character, kinda by definition( ln2( 6 ) ). Given that your maximum length is 15 digits, that limits you to ~38 bits of entropy. At a thousand guesses a second, that’s about 8 years to brute force. Not bad. However, you’ve GIVEN UP over 10 bits of entropy because of four constant characters, taking you to about 28 bits of entropy. Believe it or not, having constants makes a password far far easier to crack. (This is why the revelation of a non-random non-prime in netcat/socat is such a big deal – it makes Diffie-Helman much much simpler to crack.) That’s about 3 days to brute force. That is completely believable for someone to spend the time/energy to crack. (And remember, the 3 days assumes that your password is the last one checked, out of the entire “password universe” – on average, assume half that.) So, the lesson here is that 15 bytes of base64 is fine (if impossible to remember). But don’t use constants. Evah. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Sean Martin Sent: Wednesday, February 3, 2016 3:24 PM To: [email protected]<mailto:[email protected]> Subject: [powershell] Random Password Generator I don't get the opportunity to contribute all that often so I thought I would throw this out there in case it helps anyone. I got the method from this article: https://www.scriptjunkie.us/2013/09/secure-random-password-generation/ I modify the resulting password by prepending/appending a couple of special and numerical characters to ensure it meets complexity requirements in my current environment. Easy way to generate a secure password whenever the need arises. Critiques are always welcome. =================================================================== # Generate Random Password $randombytes = new-object byte[] 15 (new-object System.Security.Cryptography.RNGCryptoServiceProvider).GetBytes($randombytes) $pass = [System.Convert]::ToBase64String($randombytes) $password = "&#" + $pass + "82" Write-Host "" Write-Host "Your password is: " -ForeGroundColor Cyan -NoNewLine Write-Host "$Password" -ForeGroundColor Yellow Write-Host "" Write-Host "" Write-Host "Press enter to exit script..." -ForeGroundColor Cyan $Pause = Read-Host Exit ================================================================== - Sean ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1 ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1 ================================================ Did you know you can also post and find answers on PowerShell in the forums? http://www.myitforum.com/forums/default.asp?catApp=1
