[ANN] Random Password Please: Go random password generator w/ an API
1,390 views
Skip to first unread message
John Barham
May 31, 2012, 9:01:05 AM5/31/12
to golang-nuts
I've just put up "Random Password Please", a Go powered random
password generator w/ a web service API.
The live site is at http://random-password-please.com/ and the source
is at https://github.com/jbarham/random-password-please.
It's probably not the most economical way to generate passwords, but
it was a fun exercise and although it's just a couple of hundred lines
(including the template HTML) it packs in quite a lot, including
channels, goroutines, templates and signal handling.
Any style comments would be much appreciated.
John
password generator w/ a web service API.
The live site is at http://random-password-please.com/ and the source
is at https://github.com/jbarham/random-password-please.
It's probably not the most economical way to generate passwords, but
it was a fun exercise and although it's just a couple of hundred lines
(including the template HTML) it packs in quite a lot, including
channels, goroutines, templates and signal handling.
Any style comments would be much appreciated.
John
Peter Bourgon
May 31, 2012, 9:12:19 AM5/31/12
to John Barham, golang-nuts
Nice! Looks clean.
(API link doesn't work, though.)
It would be cool to play with the parameters a bit more. Length could
be a slider, 6-32 characters (for example). You could switch the
character sets it draws from. You could switch the generation scheme
totally: single word (as it is now), N dictionary words, etc.
If you introduce controls, it would be cool to have some gauge of
password strength to the side. Approximate CPU-years to crack, or
something like that.
(API link doesn't work, though.)
It would be cool to play with the parameters a bit more. Length could
be a slider, 6-32 characters (for example). You could switch the
character sets it draws from. You could switch the generation scheme
totally: single word (as it is now), N dictionary words, etc.
If you introduce controls, it would be cool to have some gauge of
password strength to the side. Approximate CPU-years to crack, or
something like that.
FIX Rob Lapensee
May 31, 2012, 9:17:24 AM5/31/12
to golang-nuts
If the server is re-started,
I think it will it re-create the same set of passwords.
it uses an un-seeded rand.Int()
I think it will it re-create the same set of passwords.
it uses an un-seeded rand.Int()
Maxim Khitrov
May 31, 2012, 9:20:17 AM5/31/12
to John Barham, golang-nuts
On Thu, May 31, 2012 at 9:01 AM, John Barham <jba...@gmail.com> wrote:
enough samples, an attacker will be able to predict all passwords
generated in the future. Since you also don't seed the prng, a default
seed of 1 is used, meaning the the same passwords will be generated
from the beginning whenever the server is restarted. In fact, the
attacker just has to query a single password and then run your
generation algorithm from the beginning until it finds the same
output. Everything after that will match.
As a very minor point, since rand.Int() is not evenly divisible by
len(alphabet), your output will have a tiny (and probably negligible)
bias toward the front of the alphabet.
Of the top of my head, a better approach would be to full a buffer
with random bytes from crypt/rand and then filter out any bytes that
are not in your alphabet.
- Max
John Barham
May 31, 2012, 9:21:40 AM5/31/12
to Peter Bourgon, golang-nuts
> (API link doesn't work, though.)
http://random-password-please.com/password.txt?len=8 works but I
should probably fix the API "documentation" as it's a pseudo-regular
expression.
> If you introduce controls, it would be cool to have some gauge of
> password strength to the side. Approximate CPU-years to crack, or
> something like that.
John
Dmitry Chestnykh
May 31, 2012, 8:12:39 PM5/31/12
to golan...@googlegroups.com
For the love of Entropy, please use crypto/rand!
Here's a handy package to generates proper random strings (uses crypto/rand, avoids modulo bias):
just call
uniuri.NewLen(passwordLen)
and you'll get a random string.
If you don't like the default alphabet, you can supply your own by using NewLenChars function.
-Dmitry
Gustavo Niemeyer
Jun 1, 2012, 4:50:51 AM6/1/12
to John Barham, golang-nuts
On Thu, May 31, 2012 at 2:01 PM, John Barham <jba...@gmail.com> wrote:
> I've just put up "Random Password Please", a Go powered random
> password generator w/ a web service API.
Interesting. I guess it means people can now have their passwords
> I've just put up "Random Password Please", a Go powered random
> password generator w/ a web service API.
leaked before they even know about them.
gustavo @ http://niemeyer.net
Jan Mercl
Jun 1, 2012, 4:59:50 AM6/1/12
to Gustavo Niemeyer, John Barham, golang-nuts
Sad, but unfortunately true.
Cole Mickens
Jun 1, 2012, 8:18:50 PM6/1/12
to golan...@googlegroups.com
This sends passwords over HTTP and even if they weren't, they're generated server side where they may be stored or shared with others. Especially given that the RNG isn't seeded or have a good source of entropy, this would be much better suited in a client side application. This could be done all in the browser fairly simply.
Christoph Hack
Jun 3, 2012, 3:18:49 AM6/3/12
to golan...@googlegroups.com, John Barham
On Friday, June 1, 2012 10:50:51 AM UTC+2, Gustavo Niemeyer wrote:
Interesting. I guess it means people can now have their passwords
leaked before they even know about them.
I've once seen a really useful website that can generate SSH key pairs
for you. You only had to type in your username and hostname, and click
the generate button.
Reply all
Reply to author
Forward
0 new messages