[Project_owners] Creating applications with Mozilla
lwchk2001 at yahoo.com.hk
Mon Aug 22 19:17:03 EDT 2005
Okay. I've seen your code sometime ago (so I know that it doesn't use a
RNG) BTW, here are my comments:
1. Setting the variable to "null" or delete() doesn't help. That is same
as deleting the file from the filesystem w/o erasing the file's content.
You should use some way that actually erase memory. Even if it is done
from your JS code, it may still fail on the API side.
2. RNG is the number one need of a password generator. Bad generators
which use timer make password that can be easily guessed by redoing the
password generation process. So far I don't see a suitable solution in
Mozilla. BTW, you may add an extra XPCOM that make the entropy in NSPR
3. If you are writing a Delphi/C program, then try to understand related
API in Windows. (For Unix you simply need to read from /dev/random)
Eric Jung wrote:
> Hi WC,
> PasswordMaker does not generate random passwords; therefore, it
> doesn't require a robust RNG. As for #2, PasswordMaker is very
> careful to set all variables to null and/or delete() every variable
> which contains a password after use so it doesn't get swapped to a
> disk virtual file. I invite you to review its code.
More information about the Project_owners