written command line password generator
i've written a password generator in C, works just like i want it, has the GPL license, but i was wondering what you guys think of the way it is coded, what i could have done to improve the coding...
pwgenCL here's the source: Code:
#include <stdio.h> |
Code:
void very_easy_password(length) Like, say for instance that one of your charsets creates a password consisting of lowercase characters, uppercase characters, and underscores. You could set up an array like this: Code:
char arr[] = Code:
array_len = strlen(arr); It also seems (to me at least) to be a little clearer as to which characters each charset contains. |
Quote:
Quote:
|
Code:
itsme@dreams:~/C$ cat pwd.c |
It's also a good idea to use getopt_long for parsing arguments, it makes it easier to write GNU-style apps (with short and long arguments etc)
-- Maksim Sipos |
wow, 2 random number posts in 1 night.
ok, rand() is a bad idea because most stdlib's implementation of it is a first order lcg, ie a sequence of the form X_{n+1}=(a*X_n + c) mod m, which for this kind of thing is NOT good because a) if some characters are known it is quite simple(cpu power wise) to narrow down possibilities of others, ie the generator has very low entropy. b) some libc's (dont think glibc does) for speed take m to be a power of two because the modulus can be done with a bitwise and. this is DISASTEROUS when you do rand()%128 because its relativly simple to prove that given two sequences X_n+1=a*X_n +c mod p*q Y_n = X_n mod p Y_n has a maximim period of p rather than p*q so if you link with a libc like this passwords of more than 128 characters will repeat and most likely passwords of less will also repeat but thats dependant on a and c. so you really shouldnt use rand() especially when there are cryptography libraries with far superior random number generators or the very well written (one of the best i think) entropy collectors that is /dev/random your choice to disregard numbers although perhaps inefficient as stated by itsme86 is a good way of removing the structure of an lcg, especially in your context where the number of disregarded numbers is dependant only on the seed and the users choice of character set, this makes it much harder for a cracker to analyse passwords. and since today we have lots of cpu power and very large periods(in the region of 2^32) i would definatly stick with this if you inted to use rand() (obviously its a waste if you use /dev/random). if your interested it was first proposed by a guy called Todd in the mid 50s i think. you do seem to have rather a lot of code repitition here, you need to do something like itsme86 was saying some kind of array, if your familiar with a bitmap i suggest you use something like that. Code:
char x[128]; <edit> i dont know very much about seed choice other than you'll want it to be as unguessable as possible, which is why time(NULL) isnt the best, if the cracker knows the day the password is generated he only has 60*60*24 seeds to try which is a hell of a lot less than 2^32. as stated above sources of entropy are your best bet like /dev/random but you can make things difficult with badly behaved numerical systems such as chaotic dynamical systems or ill conditioned matrix equations </edit> |
wew, what a response :D
well first of all, i've just started programming in C 2 months ago (i've started with C++ 1,5 years ago, but never gave it much thought), so most of the things you guys talk about i just haven't thought about or just don't know :( but i'm surely gonna check all these points out, and perhaps in a couple of weeks, i can rewrite it with a much more effecient code :) thanks a lot for the response :D [edit] ok, here's what i've come up with so far, i've also create an extra parameter to the code to create more randomness. pwgenCL_2 Code:
/* grtz Scorpius |
All times are GMT -5. The time now is 08:10 PM. |