From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Jean Louis Newsgroups: gmane.emacs.help Subject: Re: Noob dumb question (extending emacs) Date: Tue, 26 Oct 2021 21:52:54 +0300 Message-ID: References: <875ytnucjn.fsf@web.de> <87sfwqre9e.fsf@web.de> <8735opa2e8.fsf@web.de> <87tuh5fdha.fsf@web.de> <87cznryfnz.fsf@web.de> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="12368"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Mutt/2.0.7+183 (3d24855) (2021-05-28) Cc: help-gnu-emacs@gnu.org To: Michael Heerdegen Original-X-From: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Wed Oct 27 06:21:30 2021 Return-path: Envelope-to: geh-help-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mfaRN-00033E-TP for geh-help-gnu-emacs@m.gmane-mx.org; Wed, 27 Oct 2021 06:21:29 +0200 Original-Received: from localhost ([::1]:46708 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mfaRM-0004hb-G7 for geh-help-gnu-emacs@m.gmane-mx.org; Wed, 27 Oct 2021 00:21:28 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:46622) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mfaLP-0005wh-Cf for help-gnu-emacs@gnu.org; Wed, 27 Oct 2021 00:15:19 -0400 Original-Received: from stw1.rcdrun.com ([217.170.207.13]:45855) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mfaLF-0003hT-NF for help-gnu-emacs@gnu.org; Wed, 27 Oct 2021 00:15:18 -0400 Original-Received: from localhost ([::ffff:41.75.189.151]) (AUTH: PLAIN admin, TLS: TLS1.3,256bits,ECDHE_RSA_AES_256_GCM_SHA384) by stw1.rcdrun.com with ESMTPSA id 0000000000065D91.000000006178D226.00006959; Tue, 26 Oct 2021 21:14:30 -0700 Mail-Followup-To: Michael Heerdegen , help-gnu-emacs@gnu.org Content-Disposition: inline In-Reply-To: <87cznryfnz.fsf@web.de> Received-SPF: pass client-ip=217.170.207.13; envelope-from=bugs@gnu.support; helo=stw1.rcdrun.com X-Spam_score_int: -3 X-Spam_score: -0.4 X-Spam_bar: / X-Spam_report: (-0.4 / 5.0 requ) BAYES_00=-1.9, DATE_IN_PAST_06_12=1.543, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: help-gnu-emacs@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Users list for the GNU Emacs text editor List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "help-gnu-emacs" Xref: news.gmane.io gmane.emacs.help:134225 Archived-At: * Michael Heerdegen [2021-10-26 18:22]: > Jean Louis writes: > > > That is called brute force. Not an algorithm that breaks the function > > and predicts its outcome. > > So your accounts all have a disclaimer saying "you are only allowed to > crack the password of this account using an algorithm that predicts the > password"? Does everybody respect it? With enough attempts every password can be cracked. Function `rcd-password' generates passwords and it is helpful and useful with websites. Purpose is fulfilled. To say that generated password is not sure enough and that somebody can predict it, then better would be to prove it. As if you are cracking a random password on a website you cannot even know how it was generated or devised. > > Emacs Lisp function `random' is quite handy and definitely not random > > enough as such. But with little support of Emacs Lisp it becomes very > > random. The matter is solved by providing a new seed. > > The part you didn't yet understand is: the random number generator used > can only generate 2^48 different results. AFAIU the code (sysdep.c) it > is even only 2^31 different results. You can use exabytes of entropy to > set a seed and it will still only be able to generate 2^31 different > results. It will only give you one out of 2^31 possible passwords. I > will only have to try these 2^31. That's just not secure enough. We > have mentioned this already several times, but you continuously ignore > it for some reason. I surely understand your hypothetical and idealistic thinking. I think that number 2³¹ is this one: (expt 2 31) ⇒ 2,147,483,648 -- you say that is too little, and somebody could "find" the possible password. I think you imply that after somebody has attempted for example 1 billion times, then this person, cracker, would get control over some of my website accounts. I don't think this is a problem neither for `pwgen' generated passwords neither for `rcd-password' generated passwords, because the probability for brute force attempts is equal, regardless how password has been generated. Let us say that there is truly random password: "jgu" -- from there it should be obvious that a brute force password cracking program would quickly solve it. You speak of entropy and in same time of with brute force method. It is disregarded that it becomes irrelevant for brute force how password has been generated, what it consists of. Further, the function `rcd-password' uses more basic functions `rcd-password-generate-1' that in turn for each generated letter uses different, again random, seed. That system increases randomity to indefinite. (defun rcd-random-md5-string () (md5 (concat (emacs-uptime) (format-time-string "%N %6N %3N")))) (defun rcd-password-generate-1 (string) "Return capitalized or downcased single symbol from a string" (random (rcd-random-md5-string)) (let* ((max (length string)) (rnd (random max)) (single (substring string rnd (+ rnd 1)))) single)) Now we come back to it, if there is way to practically predict the outcome, then show me, make the Emacs Lisp function that demonstrates it. I can for example give you list of passwords, and you can, by observing those passwords try to demonstrate to know which one will be a next password. That way you can prove the statement from your side. Unless it is proven that you or somebody, can predict a password generated, `rcd-password' is useful function to generate passwords. To crack a password generated by `rcd-password' on somebody: - you would need to know how is password generated, you have the access to source, but you cannot know what was the seed. Try to guess the seed by guessing the md5 hash of my Emacs uptime and exact microsecond, nanosecond and millisecond when password was generated; - you would need to know which website, which system account, what is the name of system account; - you would need maybe to have access to physical computer on my side; - you would need to have a program that breaks my program and finds out or predicts random passwords outcome; And more than that. If we speak only of brute force cracking that means it is irrelevant to the fact how password was generated in the first place. Brute force cracking does not prove that password generated by Emacs Lisp function is unsafe. If password is 20 chars long, than 2.2 billion times x 20 = 44000000000, I guess 44 gigabytes. I could open up VPS with 100 gigabytes, and try to generate this many passwords to try to find if any of passwords generated by `rcd-password' is same. -- Jean Take action in Free Software Foundation campaigns: https://www.fsf.org/campaigns In support of Richard M. Stallman https://stallmansupport.org/