2

I'm developing a password generator, which will run on a webpage. I'm using the build in features of .net's Random(); function in to generate random numbers. They are then used to pick different upper/lower-case characters and numbers from a string.

What I'm wondering is, how secure is it to use Random(); function to generate passwords. Note that these passwords expire after 2min, and the page will only allow to generate 3 times per IP adress.

tshepang
  • 12,111
  • 21
  • 91
  • 136
Mana
  • 1,925
  • 6
  • 39
  • 55
  • 1
    what excactly do you mean with secure? – Tim Kathete Stadler Jan 10 '13 at 14:28
  • 1
    Is there a reason you want to roll your own password generator? You can use the built in [Membership.GeneratePassword](http://msdn.microsoft.com/en-us/library/system.web.security.membership.generatepassword.aspx) method. – keyboardP Jan 10 '13 at 14:28
  • @keyboardP That includes special characters that the user might not be able to type. Trades bad usability for a really small increase of security. – CodesInChaos Jan 10 '13 at 14:36
  • as a side note use a SecureString not a string to save it. http://msdn.microsoft.com/en-us/library/system.security.securestring.aspx – Thomas Lindvall Jan 10 '13 at 15:23

3 Answers3

6

Don't use Random if you need password security.

Use RNGCryptoServiceProvider.

Implements a cryptographic Random Number Generator (RNG) using the implementation provided by the cryptographic service provider (CSP). This class cannot be inherited.

Oded
  • 489,969
  • 99
  • 883
  • 1,009
5

If you want a secure random number, you could write a class which inherits from System.Security.Cryptography.RandomNumberGenerator

fiz
  • 564
  • 3
  • 12
3

System.Random is not secure. The biggest weakness is that it has only a 31 bit seed that's seeded from a predictable source(Environment.TickCount). So an attacker who knows when your instance of Random was created can probably narrow the possible passwords down to a handful.

The algorithm itself isn't secure either. It's probably possible to predict future outputs from observing a few of them.

Use a class derived from System.Security.Cryptography.RandomNumberGenerator, such as RNGCryptoServiceProvider to generate secure random numbers.

To generate a secure random string, I recommend my answer to How can I generate random 8 character, alphanumeric strings in C#?. Note that most other answers there aren't secure.

Community
  • 1
  • 1
CodesInChaos
  • 106,488
  • 23
  • 218
  • 262
  • Im checking your answers as solution to my problem since it also explained why random() is weak. Thanks – Mana Jan 10 '13 at 15:15