[colug-432] Password: /dev/urandom versus /dev/random
Rob Funk
rfunk at funknet.net
Thu Aug 15 09:12:19 EDT 2013
jep200404 at columbus.rr.com wrote:
> On Thu, 15 Aug 2013 01:31:17 -0500, Rick Hornsby <richardjhornsby at gmail.com> wrote:
>
> > < /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-32};echo;
>
> What is the advisability of using /dev/urandom versus /dev/random
> for strong passwords?
random(3) says:
A read from the /dev/urandom device will not block waiting for
more entropy. As a result, if there is not sufficient entropy
in the entropy pool, the returned values are theoretically
vulnerable to a cryptographic attack on the algorithms used by
the driver. Knowledge of how to do this is not available in
the current unclassified literature, but it is theoretically
possible that such an attack may exist. If this is a concern
in your application, use /dev/random instead.
Usage
If you are unsure about whether you should use /dev/random or
/dev/urandom, then probably you want to use the latter. As a
general rule, /dev/urandom should be used for everything except
long-lived GPG/SSL/SSH keys.
I guess it depends on whether you consider a string with a maximum of
192 bits of entropy (64 different characters, 32 positions) to be more
vulnerable to brute force or to the NSA hacking the Linux PRNG.
More information about the colug-432
mailing list