On Thu, Nov 27, 2008 at 15:04, Yimin Rong <[EMAIL PROTECTED]> wrote: > wget -q -O - "http://random.org/integers/? > num=8&min=33&max=126&col=8&base=16&format=plain&rnd=new" | perl -ne > 'foreach (split(/\t/, $_)) {print chr(hex($_));} print "\n"' > > wget reads web pages > random.org generates random numbers using atmospheric noise > perl splits the input into tokens and converts
Except you have transmitted your random number in cleartext over the net. As an attacker, I could be sniffing for http traffic (say with a proxy installed at your ISP) going/coming from random.org. Once I had that traffic I could try the random numbers in them (after conversion with your algorithm) as passwords on your system. Also, really random strings are hard to remember, which means you will write it down. Now it is susceptible to theft or search warrant. A much better solution is to use a passphrase made out of random words from a dict file. An eight charcter random password made up of a-z, A-Z, 0-9, !, @, #, $, %, ^, &, *, (, and ) gives you a search space of 72^8 (roughly 10^14) passwords. A three word passphrase from a dict file with 234,936 words (OS X's /usr/share/dict/words) gives you a search space of 234,936^3 (roughly 10^16) and an average search space of around 26^30 (10^42) (if they don't know you are using a passphrase. Which would you rather remember "abear Laotian semimembranous" (I am imagining a Laotian bear that stuff is passing through) or "WeIBHfKk"? If you bump the number of words in the passphrase up to four you get a password that is stronger than an eleven character password: "hlWVSm0nm8" vs "freakery hoary inflexive Solomonic" (a wise but inflexible old man who gets up to strange stuff). -- Chas. Owens wonkden.net The most important skill a programmer can have is the ability to read. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] http://learn.perl.org/
