Recent Widgets


Register for DashboardWidgets

Recent Forums Posts

Partners


iCompositions

MacDesktops.net

RSS Showcase
RSS Comments
RSS Forums

This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies. Posted in: Widget Central

Some random password widgets are not so random.

Author Message
spintriplet



Joined: 05 May 2005
Posts: 2

Posted: Wed Aug 31, 2005 - 4:48 pm    Post subject: Some random password widgets are not so random. Reply with quote

KeychainHelper, and some other so called random password generators use the javascript method
Code:
Math.random()
to create random numbers for their passwords.

This method is fundamentally flawed because the same random numbers are generated by this method on every computer. The random password that you think that you are creating can easily be created by someone else.

For example using length:8 + lowercase + uppercase + numbers in KeychainHelper the first 7 passwords produced are:
Quote:

aiUCHncQ
Q5xGZcdG
PaxezQK5
0GfOzR4V
qcTuNU9w
p8SUOeN2
qBVDorwk


Chances are, if you use this widget the whole world has just seen your password - so go change it.

Remeber, this problem only occurs in widgets that use
Code:
Math.random()
. By using a cocoa bundle and a pseudo-random number generator that takes a seed this problem is reduced to the point where your passwords should be safe enough (all psuedo-random numbers will eventually begin to repeat -the only way to get truly random number is using a hardware solution like from the project: LavaRnd at http://www.lavarnd.org)

So don't just trust any widget to make your passwords, check with the developer to make sure that they aren't using javascript's Math.random() to generate the passwords.
View user's profile Send private message Send e-mail Visit poster's website Widgets
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.

 
Powered by phpBB © 2001, 2002 phpBB Group