Edit - Stack Overflow

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

Random password generator + algorithm

I'm currently developing a CLI password generator and I've been trying to come up with ways of randomizing characters between a defined set of chars. I know the srand(time(NULL)) method, but as far as I know, it's a bit inconsistent and not so safe to generate random passwords.

I also know there is a way of randomizing numbers using the libsodium library for C (according to this topic), but I'm not sure how to use it. Should I install all the dependencies in my project? It is a relatively small project to have such a huge library. Although I plan on expanding it as time goes by, I don't know if it's worth having a huge library and not use most of its functions.

On top of that, are there specific algorithms to generate passwords other than just randomizing characters? Should I also randomize the array within itself following another algorithm for better consistency, like the Fisher Yates Shuffle?

Answer*

There are lots of issues to resolve, including:
1. Is the requirement for a function or a program?
2. If it is a function, can it use the same random number generator (seed) as other parts of the programs it is used in, or should its random numbers be independent of other sequences created by the same program?
3. How do you create a good random seed?
4. Assuming you want a function, what should the interface to the function be?
 - For example: `extern void gen_random_password(size_t length, char buffer[length]);`
 - The length specifies the bytes available in the array.
 - The password will therefore have one character less than the specified length in it, to allow for the null terminator.
5. Which random number generators are available from your o/s:
 - `rand()` and `srand()` will be available 'everywhere'
 - POSIX [`nrand48()`](https://pubs.opengroup.org/onlinepubs/9699919799/functions/nrand48.html) - no hidden seed
 - `arc4random()` — no seed permitted (BSD, macOS)
 - `random()` and `srandom()` (BSD, macOS)
6. What characters are allowed in a password?


I like using `nrand48()` because it allows the random password generator to run a series of random numbers independently of any other sequence because it takes the seed — an array of 3 `unsigned short` integers — as arguments.

Generating a good random seed is tricky. I have code which can be configured to use any of these mechanisms:
1. Value from reading /dev/random
2. Value from reading /dev/urandom
3. Value from arc4random()
4. Value from mixing clock_gettime() and getpid() and 16-bit CRC
5. Value from mixing gettimeofday() and getpid() and 16-bit CRC
6. Value from mixing time() and getpid() and 16-bit CRC

The first two are preferable — there may or may not be a significant difference between `/dev/random` and `/dev/urandom`.

Once you've got these important but tedious issues out of the way, the core algorithm for generating a random password is very simple:
### `grpwd43.h`
```
#ifndef JLSS_ID_GRPWD43_H
#define JLSS_ID_GRPWD43_H

#include <stddef.h>

extern void gen_random_passwd(size_t length, char buffer[length]);

#endif /* JLSS_ID_GRPWD43_H */
```
### `grpwd43.c`
```
#include "grpwd43.h" /* SSC: Self-sufficiency check */
#include <assert.h>
#include "randseed.h"
#include "prng48.h"

/*
** Tweak this list of alphanumerics plus punctuation to suit.
** For example, list the alphabet twice (or more) to make letters more
** likely than numbers or punctuation.
*/
static const char password[] =
 "abcdefghijklmnopqrstuvwxyz"
 "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
 "0123456789"
 "!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~"
 ;
enum { NUM_PASSWORD = sizeof(password) - 1 };

static int initialized = 0;

void gen_random_passwd(size_t length, char buffer[length])
{
 assert(buffer != NULL && length != 0);
 if (buffer == NULL || length == 0)
 return;

 if (initialized == 0)
 {
 unsigned short seed[3];
 random_seed_bytes(sizeof(seed), seed);
 prng48_seed(seed);
 initialized = 1;
 }

 for (size_t i = 0; i < length - 1; i++)
 {
 buffer[i] = password[prng48_rand(0, NUM_PASSWORD - 1)];
 }
 buffer[length - 1] = '0円';
}

#ifdef TEST

#include <stdio.h>

int main(int argc, char **argv)
{
 for (int i = 11; i < 31; i++)
 {
 char passwd[i];
 gen_random_passwd(i, passwd);
 printf("%d: %s\n", i - 1, passwd);
 }

 return 0;
}

#endif /* TEST */
```
The other source files needed can be found in my [SOQ](https://github.com/jleffler/soq) (Stack Overflow Questions) repository on GitHub in the [src/so-7594-6155](https://github.com/jleffler/soq/tree/master/src/so-7594-6155) sub-directory
or in the [src/libsoq](https://github.com/jleffler/soq/tree/master/src/libsoq) sub-directory.

Draft saved

Draft discarded

Edit Summary*

Cancel

Hello Jonathan! Thank you so much for your response! There are a couple of things I didn't understand though. For example, in your topics 1 and 2, you ask "Is the requirement for a function or a program?", and "should its random numbers be independent of other sequences created by the same program?", how could that be?

thevoyager
– thevoyager

2023年05月04日 16:57:51 +00:00
Commented May 4, 2023 at 16:57
Also, this CLI password generator is my final project in CS50, which is still currently under development. You can see it in this repo. I'll be trying to wrap my mind around your reply so I can plug in the concepts you described in your SOQ repository.

thevoyager
– thevoyager

2023年05月04日 17:03:55 +00:00
Commented May 4, 2023 at 17:03
If you have a function that will be used repeatedly, the second question (about the independence of random number sequences) becomes important. If you're just writing a program to generate one, or several, random passwords, there is no other random sequence to worry about. If you're doing simulations, you may want to ensure that your random numbers are repeatable. The rand() function has only one seed used by all threads — so independent sequences are not feasible.

Jonathan Leffler
– Jonathan Leffler

2023年05月04日 23:06:17 +00:00
Commented May 4, 2023 at 23:06
The drand48() family of functions provides some which have independent seeds, so you can have different sequences depending on which seed values you use. And the prng48_*() family of functions exploits nrand48() because it takes a user-specified seed. Getting a good, random enough, initial value for the seed is a whole separate bag of worms.

Jonathan Leffler
– Jonathan Leffler

2023年05月04日 23:09:06 +00:00
Commented May 4, 2023 at 23:09
Thank you for your explanation, now I understand it better. I spent the whole day researching the topic and looking at the code you wrote to get a grasp on it. Additionally, I wanted to ask how does drand48() differs from dev/random or dev/urandom? Also, how could I implement the solutions you mentioned in your repository on my project? What libraries would I have to use?

thevoyager
– thevoyager

2023年05月04日 23:24:29 +00:00
Commented May 4, 2023 at 23:24

| Show 7 more comments

How to Edit

Correct minor typos or mistakes
Clarify meaning without changing it
Add related resources or links
Always respect the author’s intent
Don’t use edits to reply to the author

How to Format

create code fences with backticks ` or tildes ~
```
like so
```
add language identifier to highlight code
```python
def function(foo):
print(foo)
```
put returns between paragraphs
for linebreak add 2 spaces at end
_italic_ or **bold**
indent code by 4 spaces
backtick escapes `like _so_`
quote by placing > at start of line
to make links (use https whenever possible)

<https://example.com>

[example](https://example.com)

<a href="https://example.com">example</a>

formatting help »
answering help »

How to Tag

A tag is a keyword or label that categorizes your question with other, similar questions. Choose one or more (up to 5) tags that will help answerers to find and interpret your question.

complete the sentence: my question is about...
use tags that describe things or concepts that are essential, not incidental to your question
favor using existing popular tags
read the descriptions that appear below the tag

If your question is primarily about a topic for which you can't find a tag:

combine multiple words into single-words with hyphens (e.g. python-3.x), up to a maximum of 35 characters
creating new tags is a privilege; if you can't yet create a tag you need, then post this question without it, then ask the community to create it for you

popular tags »

lang-c

CollectivesTM on Stack Overflow

Random password generator + algorithm

Answer*