Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m developing a password generator, which will run on a webpage.
I’m using the build in features of .net’s Random(); function in to generate random numbers. They are then used to pick different upper/lower-case characters and numbers from a string.
What I’m wondering is, how secure is it to use Random(); function to generate passwords. Note that these passwords expire after 2min, and the page will only allow to generate 3 times per IP adress.
System.Randomis not secure. The biggest weakness is that it has only a 31 bit seed that’s seeded from a predictable source(Environment.TickCount). So an attacker who knows when your instance ofRandomwas created can probably narrow the possible passwords down to a handful.The algorithm itself isn’t secure either. It’s probably possible to predict future outputs from observing a few of them.
Use a class derived from
System.Security.Cryptography.RandomNumberGenerator, such asRNGCryptoServiceProviderto generate secure random numbers.To generate a secure random string, I recommend my answer to How can I generate random 8 character, alphanumeric strings in C#?. Note that most other answers there aren’t secure.