At 01:15 +1200 2007/06/15, Sherlock, Ric wrote:
As part of the web-based user login I've been working on, I want to
create salted, hashed passwords.
The problem is that because each page request starts a new console
session, the random seed is often the same (7^5), and each registering
user gets the same "salt"
NB.*createSalt v generates salt as 4-byte integer
NB. e.g. createSalt ''
createSalt=: ([: _2&(3!:4) a. {~ [: ? 256 $~ ])&4
createSalt''
2094548590
From my reading of the dictionary and past forum threads, I'm thinking
that what I need to do is "randomly" set the random seed before creating
the salt. For the case of the default RNG used by J, it seems that the
seed could be either an integer or a list of integers. My question is
what is a good way of coming up with that list of integers.
A couple of forum posts mention using the system time as a source of the
seed.
<.6!:0'' NB. Is this OK?
(10#:1000*{:ts)|.<.ts=:(6!:0)'' NB. Better?
Are there other better solutions?
I have always been surprised at how bad the results of sampling
some system time variable is. I've tried to throw other random
things (e.g. log file size) into the mix and that doesn't help
much.
I now use a verb which reads 4 bytes from the Unix entropy
pool, you can read about the entropy pool at -
http://en.wikipedia.org/wiki//dev/random
There is mention of Windows there, if that is your environment.
My verb (PrettyGoodSEED) is defined as:
pgseed =: 3 : '9!:1 {. _2 (3!:4) (4?4){ host ''dd if=/dev/random
bs=4 count=1'''
pgseed requires, but ignores, an argument - e.g. pgseed ''
it returns the stdout of dd.
Looking up dd ( http://en.wikipedia.org/wiki/Dd_(Unix) ) will
amuse old "mainframe heads" ....
- joey
----------------------------------------------------------------------
For information about J forums see http://www.jsoftware.com/forums.htm
