Random Passwords May Not Be So Random
According to a recent article on macosxhints.com, the random password generator widgets may not be so random after all. Apparently, the JavaScript call Math.random() is quite repetitive in its creation of passwords. I was delighted when I found a widget that destroyed my only excuse for using the same password over and over again, but after reading this article, I have gone in an changed all my passwords to ones created with the OS X password creator assistant in the Users preference pane.
Kevin Ballard on September 6th, 2005 at 11:11 pm
Note: it’s not repetitive because it’s a flawed RNG algorithm, it’s repetitive because it always starts with the same seed each time the Dock is restarted, and there’s no way to change the seed.
However, that’s no excuse for these widgets. They could easily (well, by using system() which requires declaring it needs shell access, but that’s not a big deal) just grab input from /dev/random, which is a great random number source and does not have the problems of Math.random().
Dalle on September 7th, 2005 at 12:26 am
you might also use the password creator in keychain there you can see the security of the password aswell
Andrew Hedges on November 24th, 2006 at 8:29 pm
FWIW, my password generation widget, Make-A-Pass, seeds its RNG algorithm using /dev/random … truly random, highly secure:
http://andrew.hedges.name/widgets/