The JavaScript Math.random() function is designed to return a single IEEE floating point value n such that 0 ≤ n < 1. It is (or at least should be) widely known that the output is not cryptographically secure. Most modern implementations use the…
Lets say I want to create a cookie for a user. Would simply generating a 1024 bit string by using /dev/urandom, and checking if it already exists (looping until I get a unique one) suffice?
Should I be generating the key based on something else? Is…
I see a lot of sites use GUIDs for password resets, unsubscribe requests and other forms of unique identification.
Presumably they are appealing because they are easy to generate, unique, non-sequential and seem random.
But are they safe enough for…
I would like to move from sequential to random user IDs, so I can host profile photos publicly, i.e. example.com/profilepics/asdf-1234-zxcv-7890.jpg.
How long must user IDs be to keep anyone from finding any user photos for which they have not been…
While looking for solutions to entropy pool depletion on virtual machines, I came across an interesting project called haveged, which is based on the HAVEGE algorithm (HArdware Volatile Entropy Gathering and Expansion). It makes a pretty fantastic…
It seems to me that a hardware component which generates random numbers is extremely simple - just measure tiny vibrations in the hardware with a sensor, right? Maybe I'm wrong but it seems like if you measured vibrations with very high precision,…
Could anyone point to a quote in a published work - or suggest a recognised expert who might provide a quote - which answers the following question
How much entropy in a password would guarantee that it is secure against an offline guessing attack…
Which way of additionally feeding /dev/random entropy pool would you suggest for producing random passwords? Or, is there maybe a better way to locally create fully random passwords?
In the question about real vs. fake salt, the answers describe how real salt 'perturbs the encryption algorithm.' I know roughly how initialization vectors work; is this the same concept, or something different entirely?
I was reading up on the documentation for Math.random() and I found the note:
Math.random() does not provide cryptographically secure random
numbers. Do not use them for anything related to security. Use the Web
Crypto API instead, and more…
Forgive my ignorance on the subject, but I wish to know more and asking (stupid) questions are one way. I was reading http://www.random.org/randomness/ and this idea popped into my head (before the bit about lava-lamps)
Considering the…
NIST provides good guidelines on the length of keys and hashes for various algorithms. But I don't see anything specifically on the length of a random or pseudo-random nonce (number used once).
If there is a single good answer for a variety of…
I was recently listening to the security now podcast, and they mentioned in passing that the linear congrunential generator (LCG) is trivial to crack. I use the LCG in a first year stats computing class and thought that cracking it would make a nice…
How do you create a readable password using bash with one line? What if i'm looking for 128 bits of entropy?
EDIT
By readable I mean the 94 printable ascii characters (without space). It can use less than these characters as long as it has at least…
In short: Instead of another question asking about when to use /dev/random instead of /dev/urandom, I present the following scenario, in which I find myself in an application I'm building:
A VM or container environment (ie, a fresh install,…
