Hello folks,
As per title, I am looking for a password generation library. I found a couple, among which is https://github.com/rustomax/nim-passgen
Any recommendations?
Why not just use sysrand.urandom to get some random bytes and encode them with base16 or in a hexadecimal string? I.e.
urandom(50).mapIt(it.toHex()).join("")Why not just use sysrand.urandom to get some random bytes and encode them with base64 or in a hexadecimal string?
Flexibility and elegance. You may want special chars, base64 is case sensitive and has weird padding, hex gets long quickly, base32 is okay but you have to write it yourself and it's still limited to lowercase alphanumeric.
You could, if you are so inclined, write an encoder you can pass an arbitrary string of unique characters and some bytes to, and benchmark it against the .sample approach. That would make a neat library. Personally I prefer the one liner because it's so easy to adapt if needed.
https://nim-lang.org/docs/random.html says "Do not use this module for cryptographic purposes!". xoroshiro128 is NOT Cryptographically secure pseudorandom number generator.
Rand has only 128bits status and it has 2^128 - 1 period. So it can generate only 2^128 - 1 different passwords.
If you use 64 (=2^6) characters to generate passwords with pure random number, when the length of it is longer than 22, it can generate more than 2^(6 * 22) = 2^132 different passwords. If you use random module, you don't get stronger passwords even if its length is longer than 22.
If you randomize the internal state of Rand only once and generate multiple passwords and give them to multiple persons, one of them can guess the internal status of Rand only from one given password. It is possible to get all generated passwords from the one internal state used to generate passwords. CSPRNG is designed to prevent such an attack.
I'd say agree to disagree. The requirements you listed make little sense to me unless you write a password-store like KeePass which come with password-generators that want this kind of flexibility.
Particularly since std/random has issues for usage in security-relevant contexts. And it's not like the sysrand example is complex either.