Add an option to fully use /dev/random to as a random source for pwgen. #2
Comments
|
The security of haveged is highly contested[1] and I personally believe it is security snake oil. The bigger problem is if you specify that option, and you aren't running something like virtio-rng, or rngd, or haveged, pwgen will just hang, and that's not a great user experience. Realistically speaking, if you are generating a password, worrying about whether you are using a CSRPNG or a "true" RNG is the least of your worries. [1] https://lwn.net/Articles/525459/ It would probably be a good idea to try using getrandom(2) if it is present, warning if it isn't been fully initialized, but realistically the weakness when using passwords is going to be the human factor. |
|
@tytso , for the majority computer device, they all provide built-in TPM (https://en.wikipedia.org/wiki/Trusted_Platform_Module), which have integrated hardware random number generator. The operating system won't fetch new entropy from HRNG if the entropy pool not consume. I believe the device which support built-in TPM occupy 80% of the world. Maybe the name of option is Which make character independent from each other and completely unpredictable. Which is helpful to critical environment. |
As the development of haveged, the amount of seed in /dev/random has increased a lot. As a result, it can improve the security of password when use /dev/random as random source.
The text was updated successfully, but these errors were encountered: