On 12/9/20 4:05 PM, scsijon wrote: > wasn't going to get into this but!2 comments from my OLD security manual since > this seems to be 'running'. > > 1- This program does not take any steps to initialize the entropy pool. > OpenSSL
is not Linux and the kernel does all that for us. > WIN32 systems) are not relevant, toybox is written for LP64 and Windows is the one non-LP64 system still in regular use. > The program will crash if n is too big. No checks are made for the internal > buffer sizes. Earning the "sec" prefix, clearly. > BSD April 4, 2005 BSD you want really secure and unguessable passwords. There > are many real-life examples where the system security was compromised because > of > poor random number generators. Which is why I switched from srand((unsigned)time(&t)) with only 25 bits of possible input in any given year (trivially brute forceable); to kernel getrandom(). By the way, the initial pwgen submission? $ for i in 1 2 3 4 5 6 7 8 9 0; do ./pwgen 8 1; done h4894yGa h4894yGa h4894yGa h4894yGa h4894yGa h4894yGa h4894yGa h4894yGa h4894yGa h4894yGa Changes once per second, meaning you only have to guess the second they ran it on. I.E. "does not spark joy". (Let us not speak of the trailing space on each entry.) > 2- The program will crash if n is too big. No checks are made for the internal > buffer sizes. This is a repeat? It said already this in the first paragraph? Rob _______________________________________________ Toybox mailing list [email protected] http://lists.landley.net/listinfo.cgi/toybox-landley.net
