For those who would like to find out whether or not they should trust this password generator: https://pastebin.com/qyuqLeLk

It uses an not-quite-secure python standard RNG, and calls random.randint on it at least 1554 times (only looked at the first loop, there is more). In doing so, it gets at least 38035 bits of entropy out of random.randint. Too bad Python's RNG only has a state size of 19937 bits.

Problem, math?

Yes, you read this right: even when generating just ONE password, random bits used in the generation correlate with each other. A rookie mistake.

Solution would be, of course, using random.SystemRandom to fix this flaw once and for all. I suggested this to the author before, but they wouldn't listen and make this one trivial change, and instead just made the random number generation more complicated.

Also, there are some sources of bias in the algorithm, but last time I checked they only lower password entropy by a few bits.

#security #cryptography #randomness #fail

---

reshare from @I Like Da Web

https://greyhatlaboratories.com/download-vb6-random-password-generator-beta-grey-hat-labs.html #password #security #ghl