Password validation security issue

[Steven D'Aprano]

On Sun, 02 Mar 2014 15:10:06 -0800, Renato wrote:

> I would like to thank every one who posted a reply. I learnt a lot from
> you, guys! I appreciate your attention and your help :)
> 
> I took a class on Computer Simulation last year. It was told that
> deterministic (pseudo-)random numbers are excellent for simulations,
> because they allow debugging and replication when using a seed(). But it
> was said that deterministic random numbers weren't indeed suitable for
> encryption and security issues in general. For this purpose,
> non-deterministc stochastic methods would be more indicated. 

Either you have misunderstood, or you have been told something incorrect.

You don't in general want non-deterministic stochastic randomness, 
because you can't control it and you can't make any guarantees about it. 
Stochastic randomness nearly always has deviations from uniformity which 
can be exploited, that is, it is less random than you might think. For 
example:

http://www.newscientist.com/article/mg21428644.500-roulette-beater-spills-
physics-behind-victory.html

http://en.wikipedia.org/wiki/Eudaemons


Nor do should you use deterministic PRNGs like the Mersenne Twister, not 
because they are deterministic, but because they aren't cryptographically 
strong.

The right approach is to use a deterministic PRNG which is deliberately 
designed for use in cryptographic applications, and then add in a source 
of entropy (which might be non-deterministic, like thermal noise or the 
output of radioactive decay). On Unix systems, the OS already does this 
for you:

http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/


> One last thing, about my original question. So, the only way of
> encapsulating a Python script content is to code a simple binary program
> to call it?

I don't understand this question. Can you explain more?




-- 
Steven D'Aprano
http://import-that.dreamwidth.org/