Re: Possible issue with srand or rand in base?
In http://marc.info/?l=openbsd-techm=126562459427981w=1, Janne Johansson jj () it ! su ! se wrote [[about rand(3)]] The weird part of this (I think) for us outside viewers is that rand() has been known to be really poor at random for a long time. Not a few years, but like 20+ years and more. Much more: its flaws (including the low-order K bits being periodic with a period which is = 2^K) were already documented in Knuth volume 2's 1st edition, whose copyright date was 1969. -- -- Jonathan Thornburg [remove -animal to reply] jth...@astro.indiana-zebra.edu Dept of Astronomy, Indiana University, Bloomington, Indiana, USA C++ is to programming as sex is to reproduction. Better ways might technically exist but they're not nearly as much fun. -- Nikolai Irgens
Re: Possible issue with srand or rand in base?
On Sun, Feb 07, 2010 at 01:59:33PM -0500, Brad Tilley wrote: I wrote a small cpp application to generate randomish passwords. It compiles and runs OK on OpenBSD, however, it does not seem to create random strings (the first and last chars seldom ever change, etc). The same code compiles and runs on Linux and Windows and *does* produce randomish strings (no often repeating chars). The source code is small and is contained in a single file. I placed it here along with binaries for OpenBSD and Windows: http://16systems.com/downloads One thing which is *really* annoying is that you can't even leave your source around for a day or two for other people to at least see it and join in the discussion. This is just another bad point for you. Definitely no cookie.
Re: Possible issue with srand or rand in base?
I placed the GUI version there are source.cpp. I don't have the simpler, non-GUI version that I posted yesterday, but the use of srand and rand are the same in both examples. The GUI version compiles on OpenBSD if you have fltk installed from ports. I only wrote the simpler version to demonstrate the difference I was seeing. Brad On Mon, 08 Feb 2010 07:57 -0500, Brad Tilley b...@16systems.com wrote: Thought the discussion was over. We repost it later. On Mon, 08 Feb 2010 09:07 +0100, Marc Espie es...@nerim.net wrote: On Sun, Feb 07, 2010 at 01:59:33PM -0500, Brad Tilley wrote: I wrote a small cpp application to generate randomish passwords. It compiles and runs OK on OpenBSD, however, it does not seem to create random strings (the first and last chars seldom ever change, etc). The same code compiles and runs on Linux and Windows and *does* produce randomish strings (no often repeating chars). The source code is small and is contained in a single file. I placed it here along with binaries for OpenBSD and Windows: http://16systems.com/downloads One thing which is *really* annoying is that you can't even leave your source around for a day or two for other people to at least see it and join in the discussion. This is just another bad point for you. Definitely no cookie.
Re: Possible issue with srand or rand in base?
On Mon, Feb 08, 2010 at 08:10:11AM -0500, Brad Tilley wrote: I placed the GUI version there are source.cpp. I don't have the simpler, non-GUI version that I posted yesterday, but the use of srand and rand are the same in both examples. The GUI version compiles on OpenBSD if you have fltk installed from ports. I only wrote the simpler version to demonstrate the difference I was seeing. Wow, that's fucked. Learn how to use vector, your use of map is incredibly inefficient. And even about rand(), any text book about random number generators will tell you that it's a bad one, and that you don't ever use it with modulo, since the low-level bits are even worse than the high-level bits.
Re: Possible issue with srand or rand in base?
On Sun, Feb 07, 2010 at 01:59:33PM -0500, Brad Tilley wrote: I wrote a small cpp application to generate randomish passwords. It compiles and runs OK on OpenBSD, however, it does not seem to create random strings (the first and last chars seldom ever change, etc). The same code compiles and runs on Linux and Windows and *does* produce randomish strings (no often repeating chars). The source code is small and is contained in a single file. I placed it here along with binaries for OpenBSD and Windows: http://16systems.com/downloads I could be doing something wrong. I've checked the source code several times but nothing obvious stands out. I'll try a gcc compiler from ports tomorrow to see if that makes a difference. Until then, I thought I'd post to tech. Can anyone tell if I've made an error in the source code? rand(2) EXACTLY performs as is should. Look at the NAME section in the man page. Everyone considering rand() for password generation is in a state of sin. -Otto Output from a current OpenBSD box (notice the first and last chars and how they seldom change) $ ./passgen-obsd 30 msTGrW7C d2TyHePk ViK8R6pU mJTQZnXL di38hwfL msbQh6Xk VJ3G9efU Ma38rEFu VJB8RwxC MsKGzNP4 5SBqrnPu M2ByzN7c MA3qRn74 d23Y9wXc V2tYRWPu dibqznFc maKgRNFc mJjqr674 MJbgHWxu m2jy9Wfc Va3yz67C DATQzWp4 vi3GzEf4 maKGHeXU 5aBgzwX4 M2byrN7c vStgHEpc d2bqhEFc MSbqHn74 d2B8z67u Output from a Windows box (No often repeating characters... seems much more random): c:\passgen.exe 30 Q9RvTAbT zkCKi5Bv yZqqJA7e 7SrN5qkH tA4QB2Hn cUjjxFty GzU2qYAr HX2yZdJs 2VJJrRjj WpfA3hah rYpNfrNt MKkNGxTu eHUauW2u 6EZRGUx7 JURbHdrk Cp7rKwN7 fXRFeJdg NrGHk8A9 vw33ubVk vAcFKh3t vWRtDL4n kf4YGmCZ GdUDJ4iK i52JWyb9 fpCVj5yQ HgEy4R3E uSkQZxXA z7zyL5Mp ESBmEv8d 4EvxqxiY P.S. I installed gcc-4.2 from ports today. It installed OK, but it complained about cc1plus not being found so would not compile the app. Brad
Re: Possible issue with srand or rand in base?
On 7 February 2010 c. 21:59:33 Brad Tilley wrote: I wrote a small cpp application to generate randomish passwords. It compiles and runs OK on OpenBSD, however, it does not seem to create random strings (the first and last chars seldom ever change, etc). The same code compiles and runs on Linux and Windows and *does* produce randomish strings (no often repeating chars). The source code is small and is contained in a single file. I placed it here along with binaries for OpenBSD and Windows: http://16systems.com/downloads I could be doing something wrong. I've checked the source code several times but nothing obvious stands out. I'll try a gcc compiler from ports tomorrow to see if that makes a difference. Until then, I thought I'd post to tech. Can anyone tell if I've made an error in the source code? Yes, there is an error. Use random(3), as suggested in the rand(3). -- Best wishes, Vadim Zhukov A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?
Re: Possible issue with srand or rand in base?
On Sun, Feb 07, 2010 at 10:42:40PM +0300, Vadim Zhukov wrote: On 7 February 2010 c. 21:59:33 Brad Tilley wrote: I wrote a small cpp application to generate randomish passwords. It compiles and runs OK on OpenBSD, however, it does not seem to create random strings (the first and last chars seldom ever change, etc). The same code compiles and runs on Linux and Windows and *does* produce randomish strings (no often repeating chars). The source code is small and is contained in a single file. I placed it here along with binaries for OpenBSD and Windows: http://16systems.com/downloads I could be doing something wrong. I've checked the source code several times but nothing obvious stands out. I'll try a gcc compiler from ports tomorrow to see if that makes a difference. Until then, I thought I'd post to tech. Can anyone tell if I've made an error in the source code? Yes, there is an error. Use random(3), as suggested in the rand(3). That is still wrong for this purpose. Although random(3) is a better random number generator than rand, is still a cryptographic weak generator. Better use arc4random() -Otto
Re: Possible issue with srand or rand in base?
The traditional implementation of rand() (including OpenBSD's) cycles very quickly in the lower bits (try printing a few eg rand() 0xf). If you do have to use it for anything, try to use the high bits, although as others have said you should avoid using it at all particularly for passwords. On Sun, Feb 07, 2010 at 01:59:33PM -0500, Brad Tilley wrote: I wrote a small cpp application to generate randomish passwords. It compiles and runs OK on OpenBSD, however, it does not seem to create random strings (the first and last chars seldom ever change, etc). The same code compiles and runs on Linux and Windows and *does* produce randomish strings (no often repeating chars). The source code is small and is contained in a single file. I placed it here along with binaries for OpenBSD and Windows: http://16systems.com/downloads I could be doing something wrong. I've checked the source code several times but nothing obvious stands out. I'll try a gcc compiler from ports tomorrow to see if that makes a difference. Until then, I thought I'd post to tech. Can anyone tell if I've made an error in the source code? Output from a current OpenBSD box (notice the first and last chars and how they seldom change) $ ./passgen-obsd 30 msTGrW7C d2TyHePk ViK8R6pU mJTQZnXL di38hwfL msbQh6Xk VJ3G9efU Ma38rEFu VJB8RwxC MsKGzNP4 5SBqrnPu M2ByzN7c MA3qRn74 d23Y9wXc V2tYRWPu dibqznFc maKgRNFc mJjqr674 MJbgHWxu m2jy9Wfc Va3yz67C DATQzWp4 vi3GzEf4 maKGHeXU 5aBgzwX4 M2byrN7c vStgHEpc d2bqhEFc MSbqHn74 d2B8z67u Output from a Windows box (No often repeating characters... seems much more random): c:\passgen.exe 30 Q9RvTAbT zkCKi5Bv yZqqJA7e 7SrN5qkH tA4QB2Hn cUjjxFty GzU2qYAr HX2yZdJs 2VJJrRjj WpfA3hah rYpNfrNt MKkNGxTu eHUauW2u 6EZRGUx7 JURbHdrk Cp7rKwN7 fXRFeJdg NrGHk8A9 vw33ubVk vAcFKh3t vWRtDL4n kf4YGmCZ GdUDJ4iK i52JWyb9 fpCVj5yQ HgEy4R3E uSkQZxXA z7zyL5Mp ESBmEv8d 4EvxqxiY P.S. I installed gcc-4.2 from ports today. It installed OK, but it complained about cc1plus not being found so would not compile the app. Brad
Re: Possible issue with srand or rand in base?
On 7 February 2010 c. 22:57:31 Otto Moerbeek wrote: On Sun, Feb 07, 2010 at 08:54:04PM +0100, Otto Moerbeek wrote: On Sun, Feb 07, 2010 at 10:42:40PM +0300, Vadim Zhukov wrote: On 7 February 2010 c. 21:59:33 Brad Tilley wrote: I wrote a small cpp application to generate randomish passwords. It compiles and runs OK on OpenBSD, however, it does not seem to create random strings (the first and last chars seldom ever change, etc). The same code compiles and runs on Linux and Windows and *does* produce randomish strings (no often repeating chars). The source code is small and is contained in a single file. I placed it here along with binaries for OpenBSD and Windows: http://16systems.com/downloads I could be doing something wrong. I've checked the source code several times but nothing obvious stands out. I'll try a gcc compiler from ports tomorrow to see if that makes a difference. Until then, I thought I'd post to tech. Can anyone tell if I've made an error in the source code? Yes, there is an error. Use random(3), as suggested in the rand(3). That is still wrong for this purpose. Although random(3) is a better random number generator than rand, is still a cryptographic weak generator. Correction to myself: if you seed it with randomdev(), it might be good enough. Better use arc4random() That still applies, simple and no seeding considerations. -Otto Well, TS did not mentioned that he wants really strong passwords... ;) And I was shocked enough by jar() function there... As my friend just said: I've never seen before such nicely split, indented and commented code that I cannot understand. :) Still shame on me too, of course. -- Best wishes, Vadim Zhukov A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?
Re: Possible issue with srand or rand in base?
On Sunday, February 7, 2010, Otto Moerbeek wrote: That is still wrong for this purpose. Although random(3) is a better random number generator than rand, is still a cryptographic weak generator. Better use arc4random() Or rather, since he needs to reduce the range, use arc4random_uniform() (That C++ made me cry. Iterating across a map to convert an integer in the range 1..56 to a character?!? If only C++ had a datastructure which gave O(1) lookup for small indexes, like an array does in C.) Philip Guenther
Re: Possible issue with srand or rand in base?
On Sun, Feb 07, 2010 at 12:26:43PM -0800, Philip Guenther wrote: On Sunday, February 7, 2010, Otto Moerbeek wrote: That is still wrong for this purpose. Although random(3) is a better random number generator than rand, is still a cryptographic weak generator. Better use arc4random() Or rather, since he needs to reduce the range, use arc4random_uniform() (That C++ made me cry. Iterating across a map to convert an integer in the range 1..56 to a character?!? If only C++ had a datastructure which gave O(1) lookup for small indexes, like an array does in C.) Philip Guenther I glanced at that code and there are some real gems there. Like a new way of adding 8 to a number in the passwd() function. -Otto
Re: Possible issue with srand or rand in base?
On Sun, Feb 07, 2010 at 03:39:25PM -0500, Brad Tilley wrote: On Sun, 07 Feb 2010 21:32 +0100, Otto Moerbeek o...@drijf.net wrote: On Sun, Feb 07, 2010 at 12:26:43PM -0800, Philip Guenther wrote: On Sunday, February 7, 2010, Otto Moerbeek wrote: That is still wrong for this purpose. Although random(3) is a better random number generator than rand, is still a cryptographic weak generator. Better use arc4random() Or rather, since he needs to reduce the range, use arc4random_uniform() (That C++ made me cry. Iterating across a map to convert an integer in the range 1..56 to a character?!? If only C++ had a datastructure which gave O(1) lookup for small indexes, like an array does in C.) Philip Guenther I glanced at that code and there are some real gems there. Like a new way of adding 8 to a number in the passwd() function. -Otto Come on guys. It works... not idiomatic, but it does the job. Are you guys looking at this: http://16systems.com/downloads/source.cpp Sorry, but if you post here, you get comments based on our criteria. -Otto
Re: Possible issue with srand or rand in base?
On Sun, 07 Feb 2010 21:32 +0100, Otto Moerbeek o...@drijf.net wrote: On Sun, Feb 07, 2010 at 12:26:43PM -0800, Philip Guenther wrote: On Sunday, February 7, 2010, Otto Moerbeek wrote: That is still wrong for this purpose. Although random(3) is a better random number generator than rand, is still a cryptographic weak generator. Better use arc4random() Or rather, since he needs to reduce the range, use arc4random_uniform() (That C++ made me cry. Iterating across a map to convert an integer in the range 1..56 to a character?!? If only C++ had a datastructure which gave O(1) lookup for small indexes, like an array does in C.) Philip Guenther I glanced at that code and there are some real gems there. Like a new way of adding 8 to a number in the passwd() function. -Otto Come on guys. It works... not idiomatic, but it does the job. Are you guys looking at this: http://16systems.com/downloads/source.cpp Brad
Re: Possible issue with srand or rand in base?
On Sun, 07 Feb 2010 21:40 +0100, Otto Moerbeek o...@drijf.net wrote: On Sun, Feb 07, 2010 at 03:39:25PM -0500, Brad Tilley wrote: On Sun, 07 Feb 2010 21:32 +0100, Otto Moerbeek o...@drijf.net wrote: On Sun, Feb 07, 2010 at 12:26:43PM -0800, Philip Guenther wrote: On Sunday, February 7, 2010, Otto Moerbeek wrote: That is still wrong for this purpose. Although random(3) is a better random number generator than rand, is still a cryptographic weak generator. Better use arc4random() Or rather, since he needs to reduce the range, use arc4random_uniform() (That C++ made me cry. Iterating across a map to convert an integer in the range 1..56 to a character?!? If only C++ had a datastructure which gave O(1) lookup for small indexes, like an array does in C.) Philip Guenther I glanced at that code and there are some real gems there. Like a new way of adding 8 to a number in the passwd() function. -Otto Come on guys. It works... not idiomatic, but it does the job. Are you guys looking at this: http://16systems.com/downloads/source.cpp Sorry, but if you post here, you get comments based on our criteria. -Otto That's OK, my skin is thick. Thanks for the feedback. I had some older fltk code there initially that behaves in a similar fashion (only it has a GUI). It seems some of you may have seen that for some reason. Caching I guess. Brad
Re: Possible issue with srand or rand in base?
(That C++ made me cry. Iterating across a map to convert an integer in the range 1..56 to a character?!? If only C++ had a datastructure which gave O(1) lookup for small indexes, like an array does in C.) Not to mention that fixed array gets rebuilt upon every function call! Makes you wish Moore's law never happened. Miod
Re: Possible issue with srand or rand in base?
On Sun, 07 Feb 2010 22:03 +0100, Otto Moerbeek o...@drijf.net wrote: On Sun, Feb 07, 2010 at 03:43:59PM -0500, Brad Tilley wrote: That's OK, my skin is thick. Thanks for the feedback. I had some older fltk code there initially that behaves in a similar fashion (only it has a GUI). It seems some of you may have seen that for some reason. Caching I guess. Brad Ok, back to the real topic. The essence is that for key (or password generation) you'll want a cryptographically strong generator. See http://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator Why? Because otherwise attackers might e.g. compute your password based on the seed you could have used. Especially time-based seeds are bad in this respect. But even if you have a good seed, attackers can compute earlier or later password based on one or more passwords they know you have generated. -Otto Thanks Otto, I understand that time is known and can be predicted or repeated if necessary. This was a simple attempt to produce random strings to be used as passwords on multiple platforms in a portable manner (the same source code should compile and execute on multiple OSes with similar output). I assumed (wrongly) that standard C++ and srand/rand on OpenBSD would behave as standard C++ and srand/rand does elsewhere. I understand now why it does not. Brad