The first command they give is (note double fail: base64-encoding hex):
date +%s | sha256sum | base64 | head -c 32 ; echo
tr -cd '[:alnum:]' < /dev/urandom | fold -w30 | head -n1
date | md5sum
Lessons Learned:
- Hashing does not add randomness. The output of a hash is as random as its input.
- Use a cryptographically-secure random number generator to generate passwords.
Other bugs.
ReplyDeletea) the command is "sha256" not "sha256sum"
bash: sha256sum: command not found
$echo a| sha256
87428fc522803d31065e7bce3cf03fe475096631e5e07bbd7a0fde60c4cf25c7
b) the second command gives "Illegal byte sequence"
%tr -cd '[:alnum:]' < /dev/urandom | fold -w30 | head -n1
tr: Illegal byte sequence
My system has a sha256sum command (from GNU Coreutils), and no sha256 command.
Deletewhat batshit insane distro are you on that it's `sha256`?
Delete(Anon #3 here).
DeleteFreeBSD has sha256 as its own command and permits installing GNU Coreutils from packages.
atually, bug B above was my fault. I needed
ReplyDelete%LANG=C tr -cd '[:alnum:]' < /dev/urandom | fold -w30 | head -n1
Could someone explain why base64-encoding hex is failing?
ReplyDeletePasswords generated this way have less entropy per character.
DeleteA truly random base64 character has 6 bits of entropy (since there are 2^6 possible characters). So a truly random 20-character base64 string would contain 120 bits of entropy.
A truly random hex string has 4 bits of entropy per character. To encode 3 bytes (24 bits) in base64, it takes 24/6=4 base64 characters. In a random hex string, there are 3*4=12 bits of entropy in 3 bytes, so there are 12 bits of entropy for every 4 base64 characters, or 12/4 = 3 bits per character. A 20-character base64 string generated this way would contain only 60 bits of entropy.