5

Very often I see .NET class Random being used for passwords generation.

On one hand, this question I asked earlier shows that generating a bunch of "secret" data using class Random yields rather predictable data. On the other hand, I'm currently trying to perform that exact prediction and my code works at speed of about six million seed guesses per day on a single core - not extremely fast, it will take almost a year to enumerate all possible seed values at that rate.

Is there a clearer and faster way to show that passwords generated using data from class Random() are much weaker than typically expected?

Community
  • 1
  • 1
sharptooth
  • 167,383
  • 100
  • 513
  • 979
  • 5
    Why not just show them that response from Eric Lippert and the question you linked? It even shows an example of cryptographic random number generation - if you are trying to convince business minds, then just mentioning the word cryptographic should work :-P – Adam Houldsworth May 03 '12 at 08:57
  • I think you have the logic the wrong way around. If there's an application that's security-critical, the burden is on those who propose a solution to demonstrate that the solution meets the security requirements. I doubt anyone could do this for .NET's Random class. PRNGs used in crypto applications have defined security properties, so it's possible to show they meet defined requirements. – David Schwartz May 05 '12 at 15:27

3 Answers3

1

Let me put it this way: Pick a random number generator that is adequate for the number of passwords you want to generate. With an alphabet size of 36 (digits and only uppercase or only lowercase letters) you extract only a small fraction of the internal state of the RNG. And even if you generate 40000 characters that way, that's still only about 21 bits of information. Your algorithm in the other question only generates 4 random characters in addition to the prefix. It would be easier for an attacker to brute-force all possible passwords instead of brute-forcing the RNG state in order to figure out the next password to be generated.

Actually, the worst mistake you can do when using a simple RNG to generate passwords is to generate a large number of them. If you only generate them on demand and always with a freshly-seeded RNG, an attacker will have a hard time figuring out the seed and thus the password. The default implementation of System.Random takes the time passed since system start in milliseconds as seed. Good luck figuring that out.

Wormbo
  • 4,978
  • 2
  • 21
  • 41
0

From my understanding, the Random class generates random values based on a "Psuedo-random algorithm", so in fact they are not random what-so-ever. they are based on a concrete implementation of a mathmatical algorithm, so the results are predictable.

So if I was trying to break this algorithm, for a security breach, not that I would, I need to know certain information: I know what the algorithm is, it's publically accessible through the .Net framework, what is the input values (the seed)?

Again you can't just magic up these input values, they must be based on something, so what?

In your example your trying, as I understand it, to generate all possible seed values. This like you said takes a long time!

But why would I do this? the most intelligent approach is to try and guess what your using to generate your input values? i.e. are you using time? When do the passwords get reset? When was this password generated? What subset of values does this give me? How big a number are you using?

If you can test 6 million seeds in a day, how many values does applying some logic narrow the set of possible values down to? If it's < 6 million I could break your password in 24 hours.

That said if you can make your subset of seeds large enough and unpredicatble enough then this is hard. So the question, like many things in security comes down do, how secure does this need to be? Nothing's 100%!

Cody Gray - on strike
  • 239,200
  • 50
  • 490
  • 574
Liam
  • 27,717
  • 28
  • 128
  • 190
  • 1
    Your first three paragraphs apply to all RNG's commonly in use though, right? If I have your algo and your seed, I can get the next value. – Cylindric May 03 '12 at 12:39
  • True but complexity is an issue here. But random only has a single key? It's not very complex so the logic required to guess that key is easier. It's not designed for random password generation. Something like an MD5 hash is designed for encryption, so it's more complex, it has multiple keys, etc. so the logic required to replicate the outcome is much more complex – Liam May 03 '12 at 12:51
  • 1
    If you're using MD5 for anything to do with passwords and/or encryption, you might as well not bother. – Cylindric May 03 '12 at 13:01
  • I'm not, it was an example of a security based algorithm, where as random is not. – Liam May 04 '12 at 08:12
0

In your original question no one says Random is not good for generating random passwords (in fact the word "password" does not appear anywhere in the question, answers or the comments). You will have a hard time proving this because in order to do this the system will have to generate a number of random passwords at once. Also the attacker will need to match username and password somehow even if he manages to get hold of a good number of passwords.

Stilgar
  • 22,354
  • 14
  • 64
  • 101