Re: Noob dumb question (extending emacs)

[Jean Louis <bugs@gnu.support>]

* Michael Heerdegen <michael_heerdegen@web.de> [2021-10-26 18:22]:
> Jean Louis <bugs@gnu.support> writes:
> 
> > That is called brute force. Not an algorithm that breaks the function
> > and predicts its outcome.
> 
> So your accounts all have a disclaimer saying "you are only allowed to
> crack the password of this account using an algorithm that predicts the
> password"?  Does everybody respect it?

With enough attempts every password can be cracked.

Function `rcd-password' generates passwords and it is helpful and
useful with websites. Purpose is fulfilled. To say that generated
password is not sure enough and that somebody can predict it, then
better would be to prove it. As if you are cracking a random password
on a website you cannot even know how it was generated or devised.

> > Emacs Lisp function `random' is quite handy and definitely not random
> > enough as such. But with little support of Emacs Lisp it becomes very
> > random. The matter is solved by providing a new seed.
> 
> The part you didn't yet understand is: the random number generator used
> can only generate 2^48 different results.  AFAIU the code (sysdep.c) it
> is even only 2^31 different results.  You can use exabytes of entropy to
> set a seed and it will still only be able to generate 2^31 different
> results.  It will only give you one out of 2^31 possible passwords.  I
> will only have to try these 2^31.  That's just not secure enough.  We
> have mentioned this already several times, but you continuously ignore
> it for some reason.

I surely understand your hypothetical and idealistic thinking. I think
that number 2³¹ is this one: (expt 2 31) ⇒ 2,147,483,648 -- you say
that is too little, and somebody could "find" the possible password. I
think you imply that after somebody has attempted for example 1
billion times, then this person, cracker, would get control over some
of my website accounts. I don't think this is a problem neither for
`pwgen' generated passwords neither for `rcd-password' generated
passwords, because the probability for brute force attempts is equal,
regardless how password has been generated.

Let us say that there is truly random password: "jgu" -- from there it
should be obvious that a brute force password cracking program would
quickly solve it.

You speak of entropy and in same time of with brute force method. It
is disregarded that it becomes irrelevant for brute force how password
has been generated, what it consists of.

Further, the function `rcd-password' uses more basic functions
`rcd-password-generate-1' that in turn for each generated letter uses
different, again random, seed. That system increases randomity to
indefinite.

(defun rcd-random-md5-string ()
  (md5 (concat (emacs-uptime) (format-time-string "%N %6N %3N"))))

(defun rcd-password-generate-1 (string)
  "Return capitalized or downcased single symbol from a string"
  (random (rcd-random-md5-string))
  (let* ((max (length string))
	 (rnd (random max))
	 (single (substring string rnd (+ rnd 1))))
    single))

Now we come back to it, if there is way to practically predict the
outcome, then show me, make the Emacs Lisp function that demonstrates
it.

I can for example give you list of passwords, and you can, by
observing those passwords try to demonstrate to know which one will be
a next password. That way you can prove the statement from your side.

Unless it is proven that you or somebody, can predict a password
generated, `rcd-password' is useful function to generate passwords.

To crack a password generated by `rcd-password' on somebody:

- you would need to know how is password generated, you have the
  access to source, but you cannot know what was the seed. Try to
  guess the seed by guessing the md5 hash of my Emacs uptime and exact
  microsecond, nanosecond and millisecond when password was generated;

- you would need to know which website, which system account, what is
  the name of system account;

- you would need maybe to have access to physical computer on my side;

- you would need to have a program that breaks my program and finds
  out or predicts random passwords outcome;

And more than that.

If we speak only of brute force cracking that means it is irrelevant
to the fact how password was generated in the first place. Brute force
cracking does not prove that password generated by Emacs Lisp function
is unsafe.

If password is 20 chars long, than 2.2 billion times x 20 =
44000000000, I guess 44 gigabytes. I could open up VPS with 100
gigabytes, and try to generate this many passwords to try to find if
any of passwords generated by `rcd-password' is same. 


-- 
Jean

Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns

In support of Richard M. Stallman
https://stallmansupport.org/