From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Michael Heerdegen Newsgroups: gmane.emacs.help Subject: Re: Noob dumb question (extending emacs) Date: Thu, 28 Oct 2021 13:41:23 +0200 Message-ID: <878rydbcm4.fsf@web.de> References: <86k0i6uoxd.fsf@duenenhof-wilhelm.de> <871r4ernmt.fsf@zoho.eu> <87o87hnrpt.fsf@zoho.eu> <87y26kkuag.fsf@web.de> <87zgr0t3vw.fsf@web.de> <87o87fy4t3.fsf@zoho.eu> <87ilxmsuqq.fsf@web.de> <87k0hxj37u.fsf@zoho.eu> Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="31801"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/29.0.50 (gnu/linux) To: help-gnu-emacs@gnu.org Cancel-Lock: sha1:aiK+BEfX12faQxwyTIyqU6lxJ8w= Original-X-From: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Thu Oct 28 13:44:28 2021 Return-path: Envelope-to: geh-help-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mg3pc-00088M-CF for geh-help-gnu-emacs@m.gmane-mx.org; Thu, 28 Oct 2021 13:44:28 +0200 Original-Received: from localhost ([::1]:42152 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mg3pa-0006xA-Ow for geh-help-gnu-emacs@m.gmane-mx.org; Thu, 28 Oct 2021 07:44:26 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:43738) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mg3mm-0006wL-ER for help-gnu-emacs@gnu.org; Thu, 28 Oct 2021 07:41:33 -0400 Original-Received: from ciao.gmane.io ([116.202.254.214]:37488) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mg3mk-0000Jp-7A for help-gnu-emacs@gnu.org; Thu, 28 Oct 2021 07:41:31 -0400 Original-Received: from list by ciao.gmane.io with local (Exim 4.92) (envelope-from ) id 1mg3mi-0004b4-E8 for help-gnu-emacs@gnu.org; Thu, 28 Oct 2021 13:41:28 +0200 X-Injected-Via-Gmane: http://gmane.org/ Received-SPF: pass client-ip=116.202.254.214; envelope-from=geh-help-gnu-emacs@m.gmane-mx.org; helo=ciao.gmane.io X-Spam_score_int: -13 X-Spam_score: -1.4 X-Spam_bar: - X-Spam_report: (-1.4 / 5.0 requ) BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: help-gnu-emacs@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Users list for the GNU Emacs text editor List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "help-gnu-emacs" Xref: news.gmane.io gmane.emacs.help:134257 Archived-At: Emanuel Berg via Users list for the GNU Emacs text editor writes: > Michael Heerdegen wrote: > > > 48 ln(2) > > l = -------- ~ 8.13. > > ln(60) > > > > That would mean that already for a length of 9 only a small > > fraction of passwords are computable. > > Okay, why do you say/how do you know that? Anything besides used entropy is deterministic. If you initialize the seed with a certain entropy, it means that you randomly get one seed out of N possible (known) seeds. In our case N = 2^31 (or something like that). To understand the reasoning behind the following it can help to assume a small N, e.g. N=2, N=10 or N=100, and then think about what fundamentally changes if N is larger (actually nothing, you only need accordingly more tries to guess). This is all quite trivial, only the large numbers involved cloud a bit what is going on. Ok. Those possible seeds are known (computable) to everyone: You start with a random seed out of a public list of N seeds. With each of these seeds, `random' will generate one out of N possible predefined sequences of numbers. With the exception: If N is larger than the number of possible different results of `random' (a finite number of course), let's name it "M", then you must set N = M in the following considerations. So if you use a publicly known deterministic algorithm using `random', your algorithm will generate one out of N possible publicly known password sequences for each call. Security of these passwords stands and falls with the size of N: Say your algorithm calculates passwords using an alphabet consisting of a number b of letters, e.g. b=60 for small and capital letters plus some special characters. Then the entropy used is enough to generate pseudo-random passwords of a length l when b^l ~ N (where "~" means "is approximately"). Why? If l is smaller, b^l < N, your algorithm would often calculate the same password for different seeds, and you would waste a portion of the initial randomness (entropy). If l is larger, b^l > N, the passwords per se are stronger in theory but... that doesn't matter if you publish the algorithm that computed the passwords (or one can guess that algorithm). Then I still have to try only N passwords, not more than when a smaller password length is used. One could say that those longer passwords contain redundancy: a part of those password strings is determined by the rest of the password string and doesn't offer additional security. The situation would be similar to posting on your homepage: "Any of my accounts uses a password out of this list: { "nx4BgzrJmZq0+!YPp%M\s=>!xHP9|EMEzR[&Wu&$,\]lS`fN1y:Bc!Ey", "igbf^Hlcxyg,A0MBa>d:!,}{x"j%?Qi^,P)M=M?|UF2DZ4|>*Mx"&>(;!, "EzIRpdH|;R^1iTAG'*P5LdoJ5sS_Y2kN#S:{S_a\", "rLBtPlQ6Unml'5`+B*l^LA}8>/8C}=I)1(']Zqz+", "Zt.J$fP<$zU)^AH}