2007-09-22 00:45:12
By Tim Brown
A colleague of mine wrote an interesting critique of MkPasswd. Here is my response:
However, it is possible to further reduce this bound by observing that the algorithm can never construct a password containing the characters "z", "Z", "9" or "|"
He means I think, that int(rand(25)) gives 0-24, and that 65 + 24 = 'Y', so yes it appears I am misusing rand().
There's actually a similar bug with selecting the position to insert the digit and the non-alphanumeric character too:
$insertposition = int(rand(4) + 1); $newpassword = substr($newpassword, 0, $insertposition) . chr(int(48 + rand(9))) . substr($newpassword, $insertposition, length($newpassword));
In this case actually takes n + 1 characters from 0, inserts a random number from 0-8 (as he point out) and then adds length() characters from n+1 where n is the initial random number. Clearly this artificially limits the namespace (since we take n from the set 0-3), forcing the first part of the string to be a minium of 1 characters and a maximum of 4 characters in length. The algorith ends up limiting the locations at which the insert can occur.
However, there are 25 elements in the non-alphanumeric character array. As I previously pointed out int(rand(25)) gives 0-24. Since perl arrays start at 0, $array[24] gives the 25th element. Therefore, '|' can be selected?
The code has now been fixed. Looking forward to seeing what he works on next.
Mood: Geeky
Music: Nothing playing right now
You are unknown, comment