Generating long, high-quality random passwords is
not simple. So here is some totally random raw
material, generated just for YOU, to start with.
Every time this page is displayed, our server generates a unique set of custom, high quality, cryptographic-strength password strings which are safe for you to use:
More...
https://www.grc.com/passwords.htm
Showing posts with label Security. Show all posts
Showing posts with label Security. Show all posts
Monday, September 8, 2008
C# WEPkey generator
By Mark van den Broek
A Wepkey generator for protecting your wireless LAN
Introduction
Whatever bad you may have heard about WEP (Wired Equivalent Privacy) encryption for wireless networks, not using it is asking for trouble. Usually, it is quick and easy to set up, and at the very least, it doesn't cost you anything!
However, generating random WEP keys to use can be a pain - it's difficult to think up new ones, and if you want good security on your wireless network, you need to change them regularly. I found a JavaScript based WepKey Generator at Warewolf Labs and got so inspired, so I had to make a WepKey generator in C#. The entire code was written in JavaScript, and have kindly made the code available free for distribution (many thanks to them for a great job!) Several method calls in JavaScript don't exist in the .NET framework, so I had to create an equivalent for them. The second thing that I had to do was to re-package the entire regenerated C# code into an object oriented jacket. This can be a kind of handy when you want to inherit the WepKey class into your own projects. Using this application, you can generate good strong WEP keys for your wireless LAN! A good primer on WEP key setup and terms is located here.
First of all, this application can be divided into two sections:
One, create a WepKey based on a custom Pass phrase.
Two, generate a pseudo random WepKey by selecting the corresponding length required by your hardware.
First, I had to create a resource for my application to match the entered pass phrases. The first array is a char array that can hold up to 95 most used (ASCII) characters. The second is a string array that holds the same length as the ASCII array.
Collapse
///
/// Two public static array's for serving as a resource
/// witch will be used to match the input (string) value.
/// Both array's share the same index.
///
///
/// These are the 95 most possible characters from witch
/// to choose for generating the WEP key.
///
public static char [] asciiArray = new char[95] {
' ', '!', '"', '#', '$', '%', '&', '\'', '(', ')',
'*', '+', ',', '-', '.', '/','0', '1', '2', '3',
'4', '5', '6', '7', '8', '9', ':', ';', '<', '=',
'>', '?', '@', 'A', 'B', 'C', 'D', 'E', 'F', 'G',
'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q',
'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '[',
'\\', ']', '^', '_', '\'', 'a', 'b', 'c', 'd', 'e',
'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o',
'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y',
'z', '{', '|', '}', '~'
};
///
/// 95 HEX value's that uses the ASCII index from above.
///
public static string [] hexArray = new string [95] {
"20","21","22","23","24","25","26","27","28","29",
"2A","2B","2C","2D","2E","2F","30","31","32","33",
"34","35","36","37","38","39","3A","3B","3C","3D",
"3E","3F","40","41","42","43","44","45","46","47",
"48","49","4A","4B","4C","4D","4E","4F","50","51",
"52","53","54","55","56","57","58","59","5A","5B",
"5C","5D","5E","5F","60","61","62","63","64","65",
"66","67","68","69","6A","6B","6C","6D","6E","6F",
"70","71","72","73","74","75","76","77","78","79",
"7A","7B","7C","7D","7E"
};
The first option in this application is to create a Custom WepKey by entering a pass phrase. The custom pass phrase string is separated into characters which have been individual matched in the (ASCII) resource array and returns an integer index number. This number will be re consumed by the second method StringToHex to collect the HEX equivalent, and will be merged into one string that finally will be returned to the caller.
///
/// This method actually iterates trough the length
/// of the passphrase to match each character in
/// the Resources.asciiArray using the method LocateAciiIndex.
/// Finally the actually result is matched in the Resources.hexArray
/// and returns the result in variable string Result.
/// Finally string Result is returned to the caller.
///
public string StringToHex() {
int i = (int)InitialValue.DefaultIntegerValue; int j = i;
string Result = string.Empty;
try {
for (i = (int)InitialValue.DefaultIntegerStartValue;
i < WepString.Length; i++) {
j = this.LocateAsciiIndex(WepString[i]);
Result += Resources.hexArray[j];
}
}
catch (System.IndexOutOfRangeException ex) {
Messaging.WepKeyMessage(ex.Message,
Messaging.MessageIcon.Critical());
}
return Result;
}
The second option in this application, probable the strongest, is to create a pseudo random WepKey. It uses pretty much the same methods; the only thing is that GenerateStrongKey now gives the pass phrase.
///
/// This method first clears the class string variable 'WepString';
/// then instatiate an Random object;
/// Then the speudo random generated integer is used
/// as an index to resolves an character
/// in Resources.asciiArray. The speudo random generated integer
/// is actually limited to the max length of Resources.asciiArray.
/// Foreach character resolved in Resources.asciiArray puts
/// the actually result in the class variable WepString.
/// Finally this method returns the combined character string.
///
///
/// (5/13/16/29 bytes for 64/128/152/256-bit WEP
///
public string GenerateStrongKey(int type) {
this.WepString = string.Empty;
Random rdm = new Random();
for (int i = (int)InitialValue.DefaultIntegerStartValue; i < type; i++) {
this.WepString +=
Resources.asciiArray[rdm.Next(Resources.asciiArray.Length)];
}
return this.StringToHex();
}
When creating WepKey's, you must consider using 'strongly generated wepkey's' for your own protection, but that choice is up to you!
More...
http://www.codeproject.com/KB/security/wepkey_generator.aspx
A Wepkey generator for protecting your wireless LAN
Introduction
Whatever bad you may have heard about WEP (Wired Equivalent Privacy) encryption for wireless networks, not using it is asking for trouble. Usually, it is quick and easy to set up, and at the very least, it doesn't cost you anything!
However, generating random WEP keys to use can be a pain - it's difficult to think up new ones, and if you want good security on your wireless network, you need to change them regularly. I found a JavaScript based WepKey Generator at Warewolf Labs and got so inspired, so I had to make a WepKey generator in C#. The entire code was written in JavaScript, and have kindly made the code available free for distribution (many thanks to them for a great job!) Several method calls in JavaScript don't exist in the .NET framework, so I had to create an equivalent for them. The second thing that I had to do was to re-package the entire regenerated C# code into an object oriented jacket. This can be a kind of handy when you want to inherit the WepKey class into your own projects. Using this application, you can generate good strong WEP keys for your wireless LAN! A good primer on WEP key setup and terms is located here.
First of all, this application can be divided into two sections:
One, create a WepKey based on a custom Pass phrase.
Two, generate a pseudo random WepKey by selecting the corresponding length required by your hardware.
First, I had to create a resource for my application to match the entered pass phrases. The first array is a char array that can hold up to 95 most used (ASCII) characters. The second is a string array that holds the same length as the ASCII array.
Collapse
///
/// Two public static array's for serving as a resource
/// witch will be used to match the input (string) value.
/// Both array's share the same index.
///
///
/// These are the 95 most possible characters from witch
/// to choose for generating the WEP key.
///
public static char [] asciiArray = new char[95] {
' ', '!', '"', '#', '$', '%', '&', '\'', '(', ')',
'*', '+', ',', '-', '.', '/','0', '1', '2', '3',
'4', '5', '6', '7', '8', '9', ':', ';', '<', '=',
'>', '?', '@', 'A', 'B', 'C', 'D', 'E', 'F', 'G',
'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q',
'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '[',
'\\', ']', '^', '_', '\'', 'a', 'b', 'c', 'd', 'e',
'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o',
'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y',
'z', '{', '|', '}', '~'
};
///
/// 95 HEX value's that uses the ASCII index from above.
///
public static string [] hexArray = new string [95] {
"20","21","22","23","24","25","26","27","28","29",
"2A","2B","2C","2D","2E","2F","30","31","32","33",
"34","35","36","37","38","39","3A","3B","3C","3D",
"3E","3F","40","41","42","43","44","45","46","47",
"48","49","4A","4B","4C","4D","4E","4F","50","51",
"52","53","54","55","56","57","58","59","5A","5B",
"5C","5D","5E","5F","60","61","62","63","64","65",
"66","67","68","69","6A","6B","6C","6D","6E","6F",
"70","71","72","73","74","75","76","77","78","79",
"7A","7B","7C","7D","7E"
};
The first option in this application is to create a Custom WepKey by entering a pass phrase. The custom pass phrase string is separated into characters which have been individual matched in the (ASCII) resource array and returns an integer index number. This number will be re consumed by the second method StringToHex to collect the HEX equivalent, and will be merged into one string that finally will be returned to the caller.
///
/// This method actually iterates trough the length
/// of the passphrase to match each character in
/// the Resources.asciiArray using the method LocateAciiIndex.
/// Finally the actually result is matched in the Resources.hexArray
/// and returns the result in variable string Result.
/// Finally string Result is returned to the caller.
///
public string StringToHex() {
int i = (int)InitialValue.DefaultIntegerValue; int j = i;
string Result = string.Empty;
try {
for (i = (int)InitialValue.DefaultIntegerStartValue;
i < WepString.Length; i++) {
j = this.LocateAsciiIndex(WepString[i]);
Result += Resources.hexArray[j];
}
}
catch (System.IndexOutOfRangeException ex) {
Messaging.WepKeyMessage(ex.Message,
Messaging.MessageIcon.Critical());
}
return Result;
}
The second option in this application, probable the strongest, is to create a pseudo random WepKey. It uses pretty much the same methods; the only thing is that GenerateStrongKey now gives the pass phrase.
///
/// This method first clears the class string variable 'WepString';
/// then instatiate an Random object;
/// Then the speudo random generated integer is used
/// as an index to resolves an character
/// in Resources.asciiArray. The speudo random generated integer
/// is actually limited to the max length of Resources.asciiArray.
/// Foreach character resolved in Resources.asciiArray puts
/// the actually result in the class variable WepString.
/// Finally this method returns the combined character string.
///
///
/// (5/13/16/29 bytes for 64/128/152/256-bit WEP
///
public string GenerateStrongKey(int type) {
this.WepString = string.Empty;
Random rdm = new Random();
for (int i = (int)InitialValue.DefaultIntegerStartValue; i < type; i++) {
this.WepString +=
Resources.asciiArray[rdm.Next(Resources.asciiArray.Length)];
}
return this.StringToHex();
}
When creating WepKey's, you must consider using 'strongly generated wepkey's' for your own protection, but that choice is up to you!
More...
http://www.codeproject.com/KB/security/wepkey_generator.aspx
A Simple Passphrase Generator
Abstract
Passphrases have been receiving more and more attention as part of a strong security policy. When building secure web-based applications, assigning random passphrases to new user accounts can be a bit of a challenge. In this article, we'll build a simple passphrase generator that can be used as part of a web application to set or reset user passphrases.
by Richard Dudley
I first developed this component for a private web application. Users do not self register, but are approved for access by their service contacts. We then set up the user’s account, assigning a randomly generated passphrase as part of the account setup. When the user logs in for the first time, they are required to change their passphrase to one of their own choosing that meets certain complexity requirements. If a user forgets his or her passphrase, we create a new one using this control, and the user can then log in, but is forced again to change the passphrase. Passphrases are salted and hashed before storing them in the database, and comparisons at login are made against the hash, rather than the passphrase. Although this component was originally designed for a web-based application, it could easily be modified for use as a password generator run on desktop or mobile platforms, or for any other use subject only to your imagination.
Why Passphrases
Perhaps first we should ask "What is a passphrase?" The Wikipedia may say it best:
A passphrase is a collection of 'words' used for access control, typically used to gain access to a computer system. (1)
Passphrases were first proposed in 1981 by Sigmund Porter (6). Passphrases are distinguished from passwords by their virtue of being comprised of several words separated by spaces (2). Passphrases can satisfy even stringent security requirements, while being easier for the users to remember (3). It’s this combination of complexity and ease of remembrance that make passphrases a good part of a password policy.
Our decision to use passphrases included another reason. By using passphrases when a user’s account is set up, we hoped to set an example to our users to use passphrases as well. We hoped that users would follow our example and choose passphrases they could remember easily, and that would be more than their dog’s name concatenated with a number 1. As a precedent, I cited that AOL has for years used multiple word passphrases as the login associated with all those floppies and CDs they send out. PGP and its variants also require using secure passphrases as your private key.
Recommended Passphrase “Best Practices”
With the intrinsic strength of some of the modern encryption, authentication, and message digest algorithms such as RSA, MD5, SHS and IDEA the user password or phrase is becoming more and more the focus of vulnerability. (8)
String passphrases are only one part of a comprehensive security policy. For additional security, you should include other best practices in your application’s login components. Microsoft (4) makes a number of recommendations for Windows networks which are also applicable for ASP.NET applications. These recommendations include:
Enforcing strong passwords
Ensure regular password changes
Maintain a history to prevent immediate reuse
Lock out accounts after a certain number of failed attempts
In a very good series of articles, Jesper Johansson (5) reiterates many of these recommendations, but disagrees about using account lockout policies. Several myths surrounding Windows passwords are addressed by Mark Burnett (7), and although focused on Windows passwords, some of the information is also applicable to ASP.NET applications. Designing a component that includes these recommendations is beyond the scope of this article, but you should familiarize yourself with these recommendations and incorporate the pertinent ones into your application.
Generating Passphrases
FAQ: How do I choose a good password or phrase?
ANS: Shocking nonsense makes the most sense. (9)
There are a number of methods for generating passwords and passphrases. In this article, we’ll modify a method known as Diceware (10). This method consists of a numbered word list and five dice. Each word is assigned a 5-digit number, with only numbers 1-6 at each position, and covering every combination of numbers. The five dice are rolled, and the numbers are read from each face to form a 5-digit number. This number is cross-referenced with a word in the word list, which is then the first word in the passphrase. This process is repeated until the requisite length or number of words has been reached. Diceware has been around for a while, and the International PGP Homepage (12) recommends Diceware as one method to generate your private key.
Instead of rolling dice, we’ll use pseudo-random number generators to simulate dice rolls. To make cross referencing easier, we’ll use a wordlist converted to XML format (which is available in the source code download). This wordlist has also been edited slightly to remove some words not suitable for corporate use (this does not assure that you will not generate offensive combinations, and you may need to further edit the word list to suit your own needs). The original wordlist is also included in the download. We’ll use a few simple methods of seeding the random number generators, which will work in many lower-security cases. If you need more complex random number generation, one source to review is RFC 4086: Randomness Requirements for Security. (11)
Coding the Application
The first step for me was to convert the original tab-delimited wordlist (diceware_wordlist_asc.txt) into an XML-formatted one. This will allow us to use XML query commands, rather than parsing a wordlist line by line. The original wordlist (included unmodified in the source code download) contains the author’s PGP signature, which should be removed prior to XML processing. To prevent downloading of the wordlist, we'll give it a .config extension (wordlist.config), which is mapped to HttpForbiddenHandler. You could also use database storage of the wordlist if you wanted. I have included the class I used to convert the wordlist (wordlist.vb), and the page used to control the conversion (ConvertWordlist.aspx).
Now that we have a word list in an easily queryable format, we’ll use another class to generate our passphrases. We’ll call the class Passphrase, and include a constructor and a GeneratePassphrase method. In our example, we’ll generate a passphrase consisting of two words and a two-digit number. We’ll need five randomly chosen numbers between 1 and 6 for each word, and a randomly chosen two-digit number. To generate the five randomly chosen numbers, we’ll use five different pseudo-random number generators (PRNGs), with five different initialization vectors (IVs, which are numbers used by the PRNGs when they are created to try and ensure a greater degree of uniqueness). The first two IVs will be based on the number of ticks on the processor’s clock; the first IV will be the last 8 digits of this value, and the second IV will be the last 5 digits of this value. The other IVs will be the day of year, day of week, and the two multiplied. The IVs will be created when the class constructor is called, and are suitable for a system that is only used to generate a couple of passphrases on any given day. If you will be generating a large number of passphrases, you may need more variation in your IVs, and reference (11) RFC 4086 (RFC4086) is a recommended source for suggestions. The initialization vectors are shown in Listing 1.
More..
http://aspalliance.com/703_A_Simple_Passphrase_Generator.all
Passphrases have been receiving more and more attention as part of a strong security policy. When building secure web-based applications, assigning random passphrases to new user accounts can be a bit of a challenge. In this article, we'll build a simple passphrase generator that can be used as part of a web application to set or reset user passphrases.
by Richard Dudley
I first developed this component for a private web application. Users do not self register, but are approved for access by their service contacts. We then set up the user’s account, assigning a randomly generated passphrase as part of the account setup. When the user logs in for the first time, they are required to change their passphrase to one of their own choosing that meets certain complexity requirements. If a user forgets his or her passphrase, we create a new one using this control, and the user can then log in, but is forced again to change the passphrase. Passphrases are salted and hashed before storing them in the database, and comparisons at login are made against the hash, rather than the passphrase. Although this component was originally designed for a web-based application, it could easily be modified for use as a password generator run on desktop or mobile platforms, or for any other use subject only to your imagination.
Why Passphrases
Perhaps first we should ask "What is a passphrase?" The Wikipedia may say it best:
A passphrase is a collection of 'words' used for access control, typically used to gain access to a computer system. (1)
Passphrases were first proposed in 1981 by Sigmund Porter (6). Passphrases are distinguished from passwords by their virtue of being comprised of several words separated by spaces (2). Passphrases can satisfy even stringent security requirements, while being easier for the users to remember (3). It’s this combination of complexity and ease of remembrance that make passphrases a good part of a password policy.
Our decision to use passphrases included another reason. By using passphrases when a user’s account is set up, we hoped to set an example to our users to use passphrases as well. We hoped that users would follow our example and choose passphrases they could remember easily, and that would be more than their dog’s name concatenated with a number 1. As a precedent, I cited that AOL has for years used multiple word passphrases as the login associated with all those floppies and CDs they send out. PGP and its variants also require using secure passphrases as your private key.
Recommended Passphrase “Best Practices”
With the intrinsic strength of some of the modern encryption, authentication, and message digest algorithms such as RSA, MD5, SHS and IDEA the user password or phrase is becoming more and more the focus of vulnerability. (8)
String passphrases are only one part of a comprehensive security policy. For additional security, you should include other best practices in your application’s login components. Microsoft (4) makes a number of recommendations for Windows networks which are also applicable for ASP.NET applications. These recommendations include:
Enforcing strong passwords
Ensure regular password changes
Maintain a history to prevent immediate reuse
Lock out accounts after a certain number of failed attempts
In a very good series of articles, Jesper Johansson (5) reiterates many of these recommendations, but disagrees about using account lockout policies. Several myths surrounding Windows passwords are addressed by Mark Burnett (7), and although focused on Windows passwords, some of the information is also applicable to ASP.NET applications. Designing a component that includes these recommendations is beyond the scope of this article, but you should familiarize yourself with these recommendations and incorporate the pertinent ones into your application.
Generating Passphrases
FAQ: How do I choose a good password or phrase?
ANS: Shocking nonsense makes the most sense. (9)
There are a number of methods for generating passwords and passphrases. In this article, we’ll modify a method known as Diceware (10). This method consists of a numbered word list and five dice. Each word is assigned a 5-digit number, with only numbers 1-6 at each position, and covering every combination of numbers. The five dice are rolled, and the numbers are read from each face to form a 5-digit number. This number is cross-referenced with a word in the word list, which is then the first word in the passphrase. This process is repeated until the requisite length or number of words has been reached. Diceware has been around for a while, and the International PGP Homepage (12) recommends Diceware as one method to generate your private key.
Instead of rolling dice, we’ll use pseudo-random number generators to simulate dice rolls. To make cross referencing easier, we’ll use a wordlist converted to XML format (which is available in the source code download). This wordlist has also been edited slightly to remove some words not suitable for corporate use (this does not assure that you will not generate offensive combinations, and you may need to further edit the word list to suit your own needs). The original wordlist is also included in the download. We’ll use a few simple methods of seeding the random number generators, which will work in many lower-security cases. If you need more complex random number generation, one source to review is RFC 4086: Randomness Requirements for Security. (11)
Coding the Application
The first step for me was to convert the original tab-delimited wordlist (diceware_wordlist_asc.txt) into an XML-formatted one. This will allow us to use XML query commands, rather than parsing a wordlist line by line. The original wordlist (included unmodified in the source code download) contains the author’s PGP signature, which should be removed prior to XML processing. To prevent downloading of the wordlist, we'll give it a .config extension (wordlist.config), which is mapped to HttpForbiddenHandler. You could also use database storage of the wordlist if you wanted. I have included the class I used to convert the wordlist (wordlist.vb), and the page used to control the conversion (ConvertWordlist.aspx).
Now that we have a word list in an easily queryable format, we’ll use another class to generate our passphrases. We’ll call the class Passphrase, and include a constructor and a GeneratePassphrase method. In our example, we’ll generate a passphrase consisting of two words and a two-digit number. We’ll need five randomly chosen numbers between 1 and 6 for each word, and a randomly chosen two-digit number. To generate the five randomly chosen numbers, we’ll use five different pseudo-random number generators (PRNGs), with five different initialization vectors (IVs, which are numbers used by the PRNGs when they are created to try and ensure a greater degree of uniqueness). The first two IVs will be based on the number of ticks on the processor’s clock; the first IV will be the last 8 digits of this value, and the second IV will be the last 5 digits of this value. The other IVs will be the day of year, day of week, and the two multiplied. The IVs will be created when the class constructor is called, and are suitable for a system that is only used to generate a couple of passphrases on any given day. If you will be generating a large number of passphrases, you may need more variation in your IVs, and reference (11) RFC 4086 (RFC4086) is a recommended source for suggestions. The initialization vectors are shown in Listing 1.
More..
http://aspalliance.com/703_A_Simple_Passphrase_Generator.all
Subscribe to:
Posts (Atom)
Posts
