On Sun, 07 Feb 2010 22:03 +0100, "Otto Moerbeek" <o...@drijf.net> wrote: > On Sun, Feb 07, 2010 at 03:43:59PM -0500, Brad Tilley wrote: > > > That's OK, my skin is thick. Thanks for the feedback. I had some older fltk > > code there initially that behaves in a similar fashion (only it has a GUI). > > It seems some of you may have seen that for some reason. Caching I guess. > > > > Brad > > Ok, back to the real topic. The essence is that for key (or password > generation) you'll want a cryptographically strong generator. > > See > http://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator > > Why? Because otherwise attackers might e.g. compute your password > based on the seed you could have used. Especially time-based seeds are > bad in this respect. But even if you have a good seed, attackers can > compute earlier or later password based on one or more passwords they > know you have generated. > > -Otto
Thanks Otto, I understand that time is known and can be predicted or repeated if necessary. This was a simple attempt to produce random strings to be used as passwords on multiple platforms in a portable manner (the same source code should compile and execute on multiple OSes with similar output). I assumed (wrongly) that standard C++ and srand/rand on OpenBSD would behave as standard C++ and srand/rand does elsewhere. I understand now why it does not. Brad
