On Sun, Feb 07, 2010 at 10:42:40PM +0300, Vadim Zhukov wrote:
> On 7 February 2010 c. 21:59:33 Brad Tilley wrote:
> > I wrote a small cpp application to generate randomish passwords. It
> > compiles and runs OK on OpenBSD, however, it does not seem to create
> > random strings (the first and last chars seldom ever change, etc). The
> > same code compiles and runs on Linux and Windows and *does* produce
> > randomish strings (no often repeating chars). The source code is small
> > and is contained in a single file. I placed it here along with
> > binaries for OpenBSD and Windows:
> >
> > http://16systems.com/downloads
> >
> > I could be doing something wrong. I've checked the source code several
> > times but nothing obvious stands out. I'll try a gcc compiler from
> > ports tomorrow to see if that makes a difference. Until then, I
> > thought I'd post to tech. Can anyone tell if I've made an error in the
> > source code?
>
> Yes, there is an error. Use random(3), as suggested in the rand(3).
That is still wrong for this purpose. Although random(3) is a better
random number generator than rand, is still a cryptographic weak
generator.
Better use arc4random()
-Otto
