[Project_owners] Creating applications with Mozilla

WC Leung lwchk2001 at yahoo.com.hk
Mon Aug 22 19:17:03 EDT 2005


Okay. I've seen your code sometime ago (so I know that it doesn't use a 
RNG) BTW, here are my comments:

1. Setting the variable to "null" or delete() doesn't help. That is same 
as deleting the file from the filesystem w/o erasing the file's content. 
You should use some way that actually erase memory. Even if it is done 
from your JS code, it may still fail on the API side.

2. RNG is the number one need of a password generator. Bad generators 
which use timer make password that can be easily guessed by redoing the 
password generation process. So far I don't see a suitable solution in 
Mozilla. BTW, you may add an extra XPCOM that make the entropy in NSPR 
scriptable.

3. If you are writing a Delphi/C program, then try to understand related 
API in Windows. (For Unix you simply need to read from /dev/random)

WC Leung


Eric Jung wrote:
> Hi WC,
> 
> PasswordMaker does not generate random passwords; therefore, it
> doesn't require a robust RNG. As for #2, PasswordMaker is very
> careful to set all variables to null and/or delete() every variable
> which contains a password after use so it doesn't get swapped to a
> disk virtual file. I invite you to review its code.
> 
> Regards,
> Eric


More information about the Project_owners mailing list