The traditional implementation of rand() (including OpenBSD's) cycles very quickly in the lower bits (try printing a few eg rand() & 0xf). If you do have to use it for anything, try to use the high bits, although as others have said you should avoid using it at all particularly for passwords.
On Sun, Feb 07, 2010 at 01:59:33PM -0500, Brad Tilley wrote: > I wrote a small cpp application to generate randomish passwords. It compiles > and runs OK on OpenBSD, however, it does not seem to create random strings > (the first and last chars seldom ever change, etc). The same code compiles > and runs on Linux and Windows and *does* produce randomish strings (no often > repeating chars). The source code is small and is contained in a single file. > I placed it here along with binaries for OpenBSD and Windows: > > http://16systems.com/downloads > > I could be doing something wrong. I've checked the source code several times > but nothing obvious stands out. I'll try a gcc compiler from ports tomorrow > to see if that makes a difference. Until then, I thought I'd post to tech. > Can anyone tell if I've made an error in the source code? > > Output from a current OpenBSD box (notice the first and last chars and how > they seldom change) > > $ ./passgen-obsd 30 > > msTGrW7C > d2TyHePk > ViK8R6pU > mJTQZnXL > di38hwfL > msbQh6Xk > VJ3G9efU > Ma38rEFu > VJB8RwxC > MsKGzNP4 > 5SBqrnPu > M2ByzN7c > MA3qRn74 > d23Y9wXc > V2tYRWPu > dibqznFc > maKgRNFc > mJjqr674 > MJbgHWxu > m2jy9Wfc > Va3yz67C > DATQzWp4 > vi3GzEf4 > maKGHeXU > 5aBgzwX4 > M2byrN7c > vStgHEpc > d2bqhEFc > MSbqHn74 > d2B8z67u > > Output from a Windows box (No often repeating characters... seems much more > random): > > c:\passgen.exe 30 > Q9RvTAbT > zkCKi5Bv > yZqqJA7e > 7SrN5qkH > tA4QB2Hn > cUjjxFty > GzU2qYAr > HX2yZdJs > 2VJJrRjj > WpfA3hah > rYpNfrNt > MKkNGxTu > eHUauW2u > 6EZRGUx7 > JURbHdrk > Cp7rKwN7 > fXRFeJdg > NrGHk8A9 > vw33ubVk > vAcFKh3t > vWRtDL4n > kf4YGmCZ > GdUDJ4iK > i52JWyb9 > fpCVj5yQ > HgEy4R3E > uSkQZxXA > z7zyL5Mp > ESBmEv8d > 4EvxqxiY > > P.S. I installed gcc-4.2 from ports today. It installed OK, but it complained > about cc1plus not being found so would not compile the app. > > Brad
