I am currently writing a simple password generator (C#). For that I need some random Numbers.
Is it OK to simply use the Random Class that ships with .NET or are there any known problems with that?
+11
A:
Nothing wrong with it--it's good enough to generate simple passwords. A simple example (source):
Random RNG = new Random();
int RandomNumber; double RandomDouble;
RandomNumber = RandomClass.Next(); // random number between 1 and 2147483647
RandomNumber = RandomClass.Next(1,10); // random number between 1 and 10
double RandomDouble = RandomClass.NextDouble(); // random double between 0.0 and 1.0
This article has a very comprehensive example of generating good, easy to read passwords with specified complexity. It may be overkill for you but might provide a nice source to copy ideas from.
If you need something more for cryptography, there's another namespace for that:
System.Security.Cryptography
Specifically, you can use this:
System.Security.Cryptography.RNGCryptoServiceProvider.GetBytes(yourByte)
Here's an example, and another one.
If you're thinking about rolling your own, this site has some information to talk you out of it.
Michael Haren
2009-01-04 22:54:39
+1
A:
If you're after some details on how to make System.Random work for you this CodeBetter article is well worth reading. He gives a good overview of what the Random function is doing and how to make it 'more random' using a hashed GUID as the seed. If you just need to generate random initial passwords for user accounts (I'm assuming here) then this should be more than sufficient, the cryptography tools would probably be overkill in this case.
Glenn Slaven
2009-01-04 23:04:12
@Glenn Slaven: that is a great article, but it isn't about making Syste.Random 'more random'! It's about a solution to calling the Random constructor with a time seed when very little time has elasped (such as in a tight loop).
Mitch Wheat
2009-01-04 23:07:34
There are several computing stories about programmers who thought they could make a Random No. generator 'more random' by doing 'stuff' to the result, and completely breaking its psuedo-randomness.
Mitch Wheat
2009-01-04 23:09:26
+6
A:
System.Random is not as "cryptographically strong" source of randomness. The output of the Random function is entirely predictable assuming the attacker knows (or can guess) the "seed" value that was used to create the System.Random. If you simply call new System.Random() that initial value is simply a representation of the current system time (something that an attacker can often guess very easily).
Even if the initial time is not exactly known, an attacker can check all of the potential values in a given time range by brute force.
The random generators in the System.Security.Cryptography namespace are designed for use in this kind of situation and gain their unpredictability from a number of much more secure sources.