Re: Generating Random Numbers

[Arnaud de Montard via 4D_Tech]

> Le 26 juin 2017 à 20:46, Jim Medlen via 4D_Tech <4d_tech@lists.4d.com> a 
> écrit :
> 
> I think that my method was based on your original tech note
> http://kb.4d.com/assetid=76055

It's based on Random, same problem of distribution… 

> I found the PHP command mt_rand which generates a random number using
> Mersenne Twister.

Using php won't suit an "intensive need" of numbers (a demo, for example). If I 
call php 'rand' 10,000 times, it takes 9 seconds, while Random takes 10ms.  

-- 
Arnaud de Montard




**
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: Generating Random Numbers

[Chip Scheide via 4D_Tech]

I ran into a problem with the PHP execute code, it was throwing an 
error, I do not know exactly why, and of course 
I can't get it to repeat now to capture the error message...

Also it was a bit slower. replacing (for capital letters)
Char(Random%($CapEnd-$CapStart+1))+$CapStart) -- (656 seconds for 
100,000)
with 
PHP Execute("";"mt_rand";$Result;$CapStart;$Capend) -- (709 seconds for 
100,000)
Char($Result)

resulted in an approximately 10% increase in execution time over 
100,000 iterations.
Also..
for this type of usage - I am not sure that it really matters.
1 - we are significantly restricting the random number range

2 - Since this is for passwords, all that really matters is that it is 
better then ""  :)

On Mon, 26 Jun 2017 14:46:36 -0400, Jim Medlen via 4D_Tech wrote:
> 
> 
> Tim,
> 
> Thanks for the help.
> 
> I think that my method was based on your original tech note
> http://kb.4d.com/assetid=76055
> 
> I found the PHP command mt_rand which generates a random number using
> Mersenne Twister.
> This function was recommended on several web pages regarding random number
> generators.
> 
> Using vbOK:=PHP Execute("";"mt_rand";vi1;1;36) in place of
> vi1:=(Random%35)+1 works well.
> 
> It is fast and has not created any collisions with existing passwords in
> initial testing.
> 
> vText:=""
>   vtSet:="abcdefghijklmnopqrstuvwxyz0123456789"
> 
> For (vi2;1;8)
> //vi1:=(Random%35)+1
>   vbOK:=PHP Execute("";"mt_rand";vi1;1;36)  // Mersenne 
> Twister
>   vText:=vText+vtSet[[vi1]]
>   End for 
> 
> 
> Thanks,
> 
> Jim Medlen
> Computer & Information Systems
> Functional Devices, Inc.
> j.med...@functionaldevices.com
> phone (765) 883-5538 x 428
> fax (765) 883-4262
> http://www.functionaldevices.com
> This email was transmitted on 100 percent recycled electrons
> 
> 
> 
> Confidentiality Notice:
> The information transmitted is intended only for the person or entity
> to which it is addressed and may contain confidential and/or
> privileged material. If the reader of this message is not the intended
> recipient, you are hereby notified that your access is unauthorized,
> and any review, dissemination, distribution or copying of this message
> including any attachments is strictly prohibited. If you are not the
> intended recipient, please contact the sender at (800) 888-5538 and
> permanently delete the original and any copy including printed copies
> of this e-mail and any attachments.
> 
> 
> 
> 
> 
> On 6/26/17, 12:54 PM, "Timothy Penner"  wrote:
> 
>>> Is the 4D Random function considered a good random number generator ?
>> 
>> It's OK, it produces a 15-bit random number between 1 and 32,767.
>> If you need numbers above 32,767 you can use this:
>> http://kb.4d.com/assetid=7
>> 
>> If the built in command doesn't meet your need then you can use PHP (like
>> David said).
>> 
>> There is also this plugin: https://github.com/miyako/4d-plugin-PRNG
>> 
>>> I concatenate 8 characters to build a ³random² password which then has
>>> to meet a few simple rules.
>> 
>> I wrote this tech tip 7 years ago, maybe it will help:
>> http://kb.4d.com/assetid=76055
>> 
>> -Tim PENNER
>> 
>> 
>> Timothy Penner
>> Technical Services Engineer
>> 
>> 4D Inc
>> 95 S. Market Street, Suite #240
>> CA 95113 San Jose
>> United States
>> 
>> Telephone : +1-408-557-4600
>> Standard :  +1-408-557-4600
>> Fax :   +1-408-271-5080
>> Email : tpen...@4d.com
>> Web :   www.4D.com
>> 
>> 
> 
> 
> **
> 4D Internet Users Group (4D iNUG)
> FAQ:  http://lists.4d.com/faqnug.html
> Archive:  http://lists.4d.com/archives.html
> Options: http://lists.4d.com/mailman/options/4d_tech
> Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
> **
---
Gas is for washing parts
Alcohol is for drinkin'
Nitromethane is for racing 
**
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: Generating Random Numbers

[Chip Scheide via 4D_Tech]

Below are some links to sites which show statistics on various password 
frequency, some based on  hacked password systems.

A summary on passwords - from where I do not remember -
We have succeeded in enfacing passwords which are difficult for us 
humans to use/remeber, and easy for computers to (hackers) to break.

https://qz.com/772977/millions-of-stolen-last-fm-passwords-have-been-decrypted-these-are-the-top-50/
http://www.jbonneau.com/doc/B12-IEEESP-analyzing_70M_anonymized_passwords.pdf  
(note : pdf)
http://www.microsoft.com/en-us/research/publication/a-large-scale-study-of-web-password-habits/

a place for discussion of passwords and related topics : 
http://reddit.com/r/passwords
(an interesting link from there)
https://www.servethehome.com/password-cracking-with-8x-nvidia-gtx-1080-ti-gpus/

Summary: using about $15,000 in computer/GPUs they were getting up to 
441 BILLION hashes a second (MD4)
They were also using a bit over 3kw of power to do so (article says 
about $1/hour in electricity)
ignoring a lot of stuff... at that hash rate:
a 5 character password, which allows 128 characters (basic ascii) 
COMPLETELY BY BRUTE FORCE falls in just over 9 hours.  That is 128^5 
(34,359,738,368).


One analysis I read  - I can't find it again -
not only looked at common passwords, but at common passwords of varying 
length. 
i.e. the most common 8 character, 6 character 10 character etc 
passwords.
The commonest 25 or 30% of passwords fell into the stupid category
..., 2... etc


They also looked at common 4 and 6 digit PINs.
besides the obvious 1234,  etc they also looked at entry patterns 
so passwords that were common, but did not on the surface make sense 
such as 1397, 7931, 7139 etc, when examined in light of the standard 
key pad did make sense as these are all variations on the 'outer 
corners' of the keypad. Other patterns of entry were also discovered, 
diagonals (951x), down the middle (8520), etc.  As I recall, between 
stupid simple PINs ,  etc, and basic keypad patterns something 
like 65% of PINs were covered.



My take on passwords:
- they keep honest people honest.
- passwords for sites which are 1 time use, and do not have access to $ 
(credit cards, etc) Who cares what the password is. Use an easy to 
remember 'junk' password.
- Sites/apps which have access to $ - use a 'good' password (random so 
that social engineering doesn't help, or phrases), stored in a password 
manager  (I use a custom one I wrote in 4D of course).
- Sites which ask 'security questions' - use the same random string 
generator for the answers and store them too.
- given sufficient incentive, time, and $ any password can be cracked, 
or the site/app hacked to either expose or by-pass a password.
- Bio-metrics -- **BAD** idea, maybe I watch/read too much Science 
fiction, but... the loss of a body part to an interested party.. I'll 
pass thank you.



On Mon, 26 Jun 2017 16:32:35 -0600, Cannon Smith via 4D_Tech wrote:
> I can’t agree more with what David has said about passwords. Here is 
> another article about it including a comic that I like:
> 
>   
> 

> 
> --
> Cannon.Smith
> Synergy Farm Solutions Inc.
> Hill Spring, AB Canada
> 403-626-3236
> 
> 
> 
> 
>> On Jun 26, 2017, at 3:49 PM, David Adams via 4D_Tech 
>> <4d_tech@lists.4d.com> wrote:
>> 
>>  I didn't
>> find the reference I wanted for this
> 
> **
> 4D Internet Users Group (4D iNUG)
> FAQ:  http://lists.4d.com/faqnug.html
> Archive:  http://lists.4d.com/archives.html
> Options: http://lists.4d.com/mailman/options/4d_tech
> Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
> **
---
Gas is for washing parts
Alcohol is for drinkin'
Nitromethane is for racing 
**
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: Generating Random Numbers

[Cannon Smith via 4D_Tech]

I can’t agree more with what David has said about passwords. Here is another 
article about it including a comic that I like:




--
Cannon.Smith
Synergy Farm Solutions Inc.
Hill Spring, AB Canada
403-626-3236




> On Jun 26, 2017, at 3:49 PM, David Adams via 4D_Tech <4d_tech@lists.4d.com> 
> wrote:
> 
>  I didn't
> find the reference I wanted for this

**
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: Generating Random Numbers

[David Adams via 4D_Tech]

On Tue, Jun 27, 2017 at 1:32 AM, Jim Medlen via 4D_Tech <
4d_tech@lists.4d.com> wrote:

> I concatenate 8 characters to build a ³random²
> password which then has to meet a few simple rules.

> contains a number
> contains a lower case letter
> No Double characters
> Not 3 or more consecutive numbers
> The password must be unique.

Hi, I'm not smart enough about this to rant, but as a user, I can half-rant
;-) If you want to skip my ramblings, here's the take-away:

Long, easy to remember passwords are strong than short, impossible to
remember passwords.
Because science.

I mostly think about passwords as a user since I have to use a lot of
passwords. I just checked my 1Password and see that I've got over 700
entries with passwords. Yeah, hat's a lot. But it it? Probably, but I've
got a good reason. (Nothing exciting, I need to manage a ton of accounts
for family members, etc.) Anyway, even if you don't have that many, chances
are you've got more passwords than you can remember and keep unique.
Everyone does these days. As a user, some pet peeves:

* Man, I hate those complicated formulas. It just reeks of "Users? Screw
users. We hate them."

* Okay, you've got some complicated formula. So you'll put instructions up
to tell me the rules? No? How about a little indicator that shows the parts
of the rules that are matched/not matched by what I've typed? No? Oh I see,
I just keep typing things in and trying them until I stop getting an error
back. There should be a law

* Okay, you've got a horrible formula and you made me figure it out by
trial and error. Now I'm back...oh, I can't see what I'm typing. And what's
up with hiding the password when I type? First it has to be gibberish, then
you won't let me see my typing? It's got nothing to do with security over
the network, it's just making the typing harder. The whole hiding the
password thing kind of makes sense for anyone worried about
shoulder-surfing. But I'm most often in a private/office setting,not in
public. So why hide my typing from *me*? It's so user-hostile. Good ideas:

-- Lots of sites now seem to use a Bootstrap style that briefly shows the
password before obscuring it.
-- Some sites have a little checkbox that lets you show/obscure the
password. That seems like a decent compromise.

* Some (rarely now) sites won't let me copy-and-paste my password in.
Inevitably, they also won't allow you to see what you're typing. Who is
this making more "secure"? I hate them. So much.

Unpleasant sign-ins make me avoid logging into some apps and sites. That's
how dramatically bad the user experience is - I end up feeling consciously
unwilling to even enter the app.

Oh, and what's up with recovery questions? They're generally terrible. Like
"favorite island" or "favorite movie", etc. I mean, if a hacker has your
post code and year of birth, they should be able to guess favorite island
and favorite movie for a pretty significant % of people in a few tries. I
use nonsense answers or answers to different questions entirely...or a
different question as the answer and then I write everything into my
1Password. The whole idea that people can memorize everything isn't working
out.

We've all doubtlessly heard the standard rules for password:
* Change them every x days/weeks/months. (Why? I guess because you assume
every site is getting its passwords stollen regularly. Or that you are.)

* Don't reuse passwords. (Great advice, but impossible to follow without a
password manager. I'd be lost without 1Password.)

* Don't use stupid passwords like 12345678 or password. And yet people do.
Like, a huge percentage of people.

* Don't use simple words from a dictionary. Why? Because if a hacker can
get at the hash for the passwords, they've already got pre-built versions
with the hashed forms of zillions of common words! Instead of
you-need-a-quantum-computer-to-break-this difficulty, you get to
this-is-totally-breakable territory instantly.

* Don't write down your passwords. (Again, 1Password or one of its
competitors to the rescue.)

* Don't share passwords. (Why not? My wife and I each have our own
1Password and make sure that the other one knows the password to get into
each other's 1Password. Helpful.)

It's pretty clear that the whole password thing is failing. So if you have
to use passwords, it's okay to improve on standard practice. Standard
practice isn't working. After big hacks, I often read pieces that explain
exactly what went wrong. And, now and then, listen to or read pieces by
security researchers. Here are a couple of good strategies and ideas I've
picked up that way:

* Don't memorize passwords, use a password manager.

* Visiting a site you don't expect to use again or use often, but it
requires a password? Pick something random and don't record it. If you ever
do need the password again, use their password recovery feature. (I find
this suggestion somehow risqué and always feel a bit daring when I follow
it. Clearly, I need to get out 

Re: Generating Random Numbers

[Jim Medlen via 4D_Tech]

Tim,

Thanks for the help.

I think that my method was based on your original tech note
http://kb.4d.com/assetid=76055

I found the PHP command mt_rand which generates a random number using
Mersenne Twister.
This function was recommended on several web pages regarding random number
generators.

Using vbOK:=PHP Execute("";"mt_rand";vi1;1;36) in place of
vi1:=(Random%35)+1 works well.

It is fast and has not created any collisions with existing passwords in
initial testing.

vText:=""
vtSet:="abcdefghijklmnopqrstuvwxyz0123456789"

For (vi2;1;8)
  //vi1:=(Random%35)+1
vbOK:=PHP Execute("";"mt_rand";vi1;1;36)  // Mersenne 
Twister
vText:=vText+vtSet[[vi1]]
End for 


Thanks,

Jim Medlen
Computer & Information Systems
Functional Devices, Inc.
j.med...@functionaldevices.com
phone (765) 883-5538 x 428
fax (765) 883-4262
http://www.functionaldevices.com
This email was transmitted on 100 percent recycled electrons



Confidentiality Notice:
The information transmitted is intended only for the person or entity
to which it is addressed and may contain confidential and/or
privileged material. If the reader of this message is not the intended
recipient, you are hereby notified that your access is unauthorized,
and any review, dissemination, distribution or copying of this message
including any attachments is strictly prohibited. If you are not the
intended recipient, please contact the sender at (800) 888-5538 and
permanently delete the original and any copy including printed copies
of this e-mail and any attachments.





On 6/26/17, 12:54 PM, "Timothy Penner"  wrote:

>> Is the 4D Random function considered a good random number generator ?
>
>It's OK, it produces a 15-bit random number between 1 and 32,767.
>If you need numbers above 32,767 you can use this:
>http://kb.4d.com/assetid=7
>
>If the built in command doesn't meet your need then you can use PHP (like
>David said).
>
>There is also this plugin: https://github.com/miyako/4d-plugin-PRNG
>
>> I concatenate 8 characters to build a ³random² password which then has
>>to meet a few simple rules.
>
>I wrote this tech tip 7 years ago, maybe it will help:
>http://kb.4d.com/assetid=76055
>
>-Tim PENNER
>
>
>Timothy Penner
>Technical Services Engineer
>
>4D Inc
>95 S. Market Street, Suite #240
>CA 95113 San Jose
>United States
>
>Telephone : +1-408-557-4600
>Standard :  +1-408-557-4600
>Fax :   +1-408-271-5080
>Email : tpen...@4d.com
>Web :   www.4D.com
>
>


**
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

RE: Generating Random Numbers

[Timothy Penner via 4D_Tech]

> Is the 4D Random function considered a good random number generator ?

It's OK, it produces a 15-bit random number between 1 and 32,767.
If you need numbers above 32,767 you can use this:
http://kb.4d.com/assetid=7

If the built in command doesn't meet your need then you can use PHP (like David 
said).

There is also this plugin: https://github.com/miyako/4d-plugin-PRNG

> I concatenate 8 characters to build a ³random² password which then has to 
> meet a few simple rules.

I wrote this tech tip 7 years ago, maybe it will help:
http://kb.4d.com/assetid=76055

-Tim PENNER



**
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

RE: Generating Random Numbers

[Dennis, Neil via 4D_Tech]

Not considered a good random number generator when you are looking for random 
numbers.

Add in milliseconds or seed it by looking for a random number (from millisecond 
or something) of random numbers and tossing them.

I usually use something like this Random+Abs(Milliseconds) and they seem random 
enough.

Neil








--

Privacy Disclaimer: This message contains confidential information and is 
intended only for the named addressee. If you are not the named addressee you 
should not disseminate, distribute or copy this email. Please delete this email 
from your system and notify the sender immediately by replying to this email.  
If you are not the intended recipient you are notified that disclosing, 
copying, distributing or taking any action in reliance on the contents of this 
information is strictly prohibited.

The Alternative Investments division of UMB Fund Services provides a full range 
of services to hedge funds, funds of funds and private equity funds.  Any tax 
advice in this communication is not intended to be used, and cannot be used, by 
a client or any other person or entity for the purpose of (a) avoiding 
penalties that may be imposed on any taxpayer or (b) promoting, marketing, or 
recommending to another party any matter addressed herein.
**
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Generating Random Numbers

[Jim Medlen via 4D_Tech]

Is the 4D Random function considered a good random number generator ?

Is there a better 4D function for generating a random number ?

I am currently using vi1:=(Random%35)+1 to make a random selection of lower
case letters or numbers.

I concatenate 8 characters to build a ³random² password which then has to
meet a few simple rules.

contains a number
contains a lower case letter
No Double characters
Not 3 or more consecutive numbers
The password must be unique.


Thanks,

Jim Medlen
Computer & Information Systems
Functional Devices, Inc.
j.med...@functionaldevices.com
phone (765) 883-5538 x 428
fax (765) 883-4262
http://www.functionaldevices.com

This email was transmitted on 100 percent recycled electrons



**
4D Internet Users Group (4D iNUG)
FAQ:  http://lists.4d.com/faqnug.html
Archive:  http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**