RPGen - Random Password Generator

[oldCoder34]

.

Edited April 19, 2012 by oldCoder34

[stingwray]

You need to understand random number and pseudo random number generators more before thinking this is a good idea.

Start with the python documentation. Python Doc - Random

In particular, you need to look at:

However, being completely deterministic, it is not suitable for all purposes, and is completely unsuitable for cryptographic purposes.

random.seed([x])

Initialize the basic random number generator. Optional argument x can be any hashable object. If x is omitted or None, current system time is used; current system time is also used to initialize the generator when the module is first imported. If randomness sources are provided by the operating system, they are used instead of the system time (see the os.urandom() function for details on availability).

So there is nothing random about your program and could very easily be repeatable. Also it makes generating list of passwords completely pointless as the PRNG is deterministic.

Also, as an Attacker, thanks for removing all passwords with the same character next to each other, this cuts the size of my dictionary and brute force attacks considerably. A password with two characters next to each other is not a bad password. A bad password would be 'papapapa' where 'oP9nn7Ae' is miles better.

[oldCoder34]

I alreadly knew it wasn't fully random but its random enough for generating passwords and you may notice that Linux and Mac OSX both included random password generators that are also (obviously) only pseudo random number generators.

However due to the sheer number of possible passwords this is unlikely to cause issues, running in default mode (10 Character password) and not including the removal of characters next to each other (that would be a lot of math to work out) there is 10^62 possible passwords.

Also, as an Attacker, thanks for removing all passwords with the same character next to each other, this cuts the size of my dictionary and brute force attacks considerably. A password with two characters next to each other is not a bad password. A bad password would be 'papapapa' where 'oP9nn7Ae' is miles better.

The chance of papapapa turning up is very slim, however of course possible, at the end of the day the user decides whether or not to implement the generated password and sensibility must be used.

Futhermore since there are x^62 possible passwords even taking away the characters next to each other doesn't make it that much easier, however I will adjust that in the future to look for patterns though obviously that coding will be rather intricate. I also never said it made a bad password however if someone shoulder-surfs then the same character twice is very easy to pick up, so it is perhaps safer.

Sorry for wasting your time,

[stingwray]

Actually, if you use 10 character long password and 62 characters to produce it from you have 62^10 possible passwords, which is a lot less than 10^62.

It doesn't matter whether Linux and Mac OSX have other PRNG, Python uses its own Mersenne Twister implementation in C. The difference would be in seeding the PRNG, which your letting the operating system do in its default way, which for the majority of systems is the current time, which is an extremely poor seed. An example of how this is done slightly better is in TrueCrypt which takes input from mouse movements to help randomize the seed.

'papapapa' is only an example, there are many others which are easily equatable. If you want to come back onto Maths, the chances of two characters coming up next to each other are 1/(62^2), Now 1/(62^2)*62^10 is not a trival number to reduce the number of possible tries. Plus I have the added benefit that you also don't allow three/four/five same characters in a row, so I can remove even more!

Coding something to remove bad passwords wouldn't be hard or intricate to get good results, a good password has a high amount of entropy between characters, just don't accept password below a threshold, which should the user want, could be changed.

I wouldn't worry about shoulder surfing, the user has to worry about that and given that 99% of all passwords breaking comes from attacking the hash its not really a problem anyway.

I don't know why your say "Sorry for wasting your time,", I'm trying to help you make your software better. If you would rather produce poor quality software then please ignore all my comments.