[Toybox] secpwgen

scsijon scsijon at lamiaworks.com
Wed Dec 9 14:05:47 PST 2020


wasn't going to get into this but!2 comments from my OLD security manual 
since this seems to be 'running'.

1- This program does not take any steps to initialize the entropy pool. 
OpenSSL uses the system-provided /dev/[u]random as the source of 
randomness. OpenSSL should report an error on systems that do not 
provide the /dev/random device. If you are sure that your system does 
not support these devices (most notably, WIN32 systems) and the program 
does not report an error then do not use it if The program will crash if 
n is too big. No checks are made for the internal buffer sizes. However, 
since this program is intended to be used by humans who must memorize 
their passphrases, this is not an issue. The program works correctly for 
"reasonable" sizes of n (e.g. less than 256).

BSD April 4, 2005 BSD you want really secure and unguessable passwords. 
There are many real-life examples where the system security was 
compromised because of poor random number generators.

2- The program will crash if n is too big. No checks are made for the 
internal buffer sizes. However, since this program is intended to be 
used by humans who must memorize their passphrases, this is not an 
issue. The program works correctly for "reasonable" sizes of n (e.g. 
less than 256).

Source:- BSD Manual April 4, 2005



More information about the Toybox mailing list