+ 1

Are codes we find when we search "password generator" good to actually generate passwords ?

For example SoloLearn's "Password Generator" : could we use it as it is to generate passwords ? PS: I really like SoloLearn's apps, it really helps to summarize almost everything I learned in languages they're teaching, continue making such great apps

25th Dec 2016, 7:39 AM
Thomas Ghobril
2 Respuestas
+ 5
It depends. But what makes a strong password? Password can be detected to contain english words, let say you want a password named 'variable', a hacker can crack it in less than a second using dictionary search(ignoring the security features of the sites of course). To make it strong, we can just simply invert the word, making it 'elbairav'. To make it even stronger, add numbers. 'elbairav123' , lastly, if you want it to be powerful, add syntaxs. Non-english characters works too! For example : 'e|ba!ra\/123' , and we just changed a simple to hack password 'variable' into 'e|ba!ra\/123' , a bruteforce attack on that would take quite a very long time, which allows time for the website security to stop the attack. But do take note that this is not foolproof as a few things still can get your password : -phishing -keyloggers (a form of 'virus') -etc [more form of 'virus'] Dont go full headache on passwords, you dont want to spend more than 1min to login into your account. And remember that some websites will have security features too to protect your password, but dont take that for granted.
25th Dec 2016, 7:59 AM
Wen Qin
Wen Qin - avatar
0
First, thank you very much for your answer, I did some researches and I answered myself : I took as example the c++ code of SoloLearn : "Password Generator" This is a good code to show how to generate random fixed length Strings but time(0) returns the time in seconds since the Unix epoch (Thu, 01 Jan 1970 00:00:00 GMT). This value is not cryptographically secure, and rand and srand aren't meant to do this kind of work. For example : at the time I am writing this, the current epoch time is 1482649063, almost 1.5 E9. So if you generates a password with this algorithm, there will be only 1.5 billion possibilities, whereas a truly random password has about : pow(charset.length(), passwordlength), here 70^8 so about 5.8 E14 possibilities, and if you know an average of the date or even an idea of the year the password was created, then the password will be quite easy, at least a lot easier to crack by brute force attack. Just to say, we shouldn't use this to hash passwords, or to generate salts and especially not to generate passwords for your database or to do stuff like that. It will still be more secure than "password1", but you know, we're never too cautious. Don't even do this kind of programs alone if you really want to use it for what it does, there is anyway great cryptographically secure and time secure functions in PHP 7 that will do the job for you. And if you are interested in cryptography, you can still read the source of these functions (PHP is open source). Cheers
25th Dec 2016, 1:19 PM
Thomas Ghobril