[Haskell-cafe] Re: Password hashing
Martijn van Steenbergen <[EMAIL PROTECTED]> wrote: > roger peppe wrote: > > if you're prepared to expend a few cpu cycles, you can always > > use something like the following "beating clocks" algorithm, which > > should generate > > at least some genuine randomness, as long as you've got preemptive > > scheduling, and a few hardware interrupts around the place. > > I was taught that using the scheduler to generate randomness is a > pretty bad idea, because randomness is actually a *very* strong > property to demand from a stream of bits, and a scheduler doesn't > offer any such guarantees. > The scheduler is as fine a chaotic system as your average cube centimetre of air: Very, very little disturbances (like a keypress or a network packet) can change the order of task switching drastically, even more so if stuff runs with different priorities. What it certainly (hopefully) won't guarantee is a random distribution over a wide range, but what it will have is an infinite period as it's based on external events. You can fix the distribution problem with a secure hash of your choice. -- (c) this sig last receiving data processing entity. Inspect headers for copyright history. All rights reserved. Copying, hiring, renting, performance and/or quoting of this signature prohibited. ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] Re: Password hashing
Andrew.Butterfield: > > >someone asked: > >>>What can be used for generating a random salt? Is System.Random > >>>secure enough? > >>> > Achim Schneider wrote: > >...or by pinging a random host and taking the time difference, checking > >the current cpu temperature and fan speed, counting how many times > >your process gets suspended in a certain amount of time, taking a > >picture of a lava lamp and hashing it, booting windows, not doing > >anything, and measure the time it takes to crash, hashing a snapshot > >of the slashdot frontpage, and, last, but not least, measuring the > >amount of spam per second currently swooshing into your mail account. > > > > > > or http://www.random.org/ perhaps ? Via, System.Random.Atmosphere http://hackage.haskell.org/packages/archive/RandomDotOrg/0.2.1/doc/html/System-Random-Atmosphere.html ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
Re: [Haskell-cafe] Re: Password hashing
someone asked: What can be used for generating a random salt? Is System.Random secure enough? Achim Schneider wrote: ...or by pinging a random host and taking the time difference, checking the current cpu temperature and fan speed, counting how many times your process gets suspended in a certain amount of time, taking a picture of a lava lamp and hashing it, booting windows, not doing anything, and measure the time it takes to crash, hashing a snapshot of the slashdot frontpage, and, last, but not least, measuring the amount of spam per second currently swooshing into your mail account. or http://www.random.org/ perhaps ? -- Andrew Butterfield Tel: +353-1-896-2517 Fax: +353-1-677-2204 Foundations and Methods Research Group Director. School of Computer Science and Statistics, Room F.13, O'Reilly Institute, Trinity College, University of Dublin http://www.cs.tcd.ie/Andrew.Butterfield/ ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
[Haskell-cafe] Re: Password hashing
Bulat Ziganshin <[EMAIL PROTECTED]> wrote: > Hello Bit, > > Wednesday, October 29, 2008, 4:32:51 PM, you wrote: > > >> It's a good idea to salt your passwords before hashing, though. See > > What can be used for generating a random salt? Is System.Random > > secure enough? > > if you use mkStdRNG it's good enough for non high-secure programs. it > inits rnd generator with current time upo to picoseconds (if your OS > provides such granularity). you can add a bit f security by reading a > few bytes from /dev/urandom and passing these to mkStdRNG > ...or by pinging a random host and taking the time difference, checking the current cpu temperature and fan speed, counting how many times your process gets suspended in a certain amount of time, taking a picture of a lava lamp and hashing it, booting windows, not doing anything, and measure the time it takes to crash, hashing a snapshot of the slashdot frontpage, and, last, but not least, measuring the amount of spam per second currently swooshing into your mail account. -- (c) this sig last receiving data processing entity. Inspect headers for copyright history. All rights reserved. Copying, hiring, renting, performance and/or quoting of this signature prohibited. ___ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe
