[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: One-line password generator

Hi,

Curt wrote:
> So this is wrong:
> https://www.2uo.de/myths-about-urandom/

Dunno. I took my info from the man page.

This article is, at least at its beginnings, very affirmative and fewly
equipped with supporting facts. Mainly "Believe Me !".
The author is a proselyte of urandom, as he confesses openly.

Of course, if you are lucky, urandom gives you 8 bit entropy per byte read.
But as all diagrams in the article say: Entropy can be lower and urandom will
still hand out the bytes. The whole article is about why this shall not
be of concern.
Why is the potentially missing stuff considered to be entropy then ?

Verifying the statements about the way how random and urandom correspond
in the Linux kernel would last a few weeks. Why was it changed so often ?
Further i'd need to wrap my head around the topic whether this really yields
the properties claimed by the author.


Compared to that, what is the penalty if i do not join the urandom church ?
I might be doomed to wait a few seconds before my password is generated.
Maybe a mass generator of random numbers, which relies on /dev/random against
the advise of the man page, will have to wait too. Serves him right.

If i get bored, i can speed it up by doing things on mouse and keyboard.
But it's not necessary for me. I just read 5 times 16 bytes. No waiting,
no lightning strike from heaven.

Am i stupid to go any risk and reject the offer of the kernel to test my
random bytes before i get them ?
Just because people with undisclosed interests tell me ?
The term for this is "social engineering".


Have a nice day :)

Thomas
Reply to: