Zeroclickinfo-goodies: Random Passphrase: Need to seed random number generator in `handle` function

Created on 8 Aug 2016  Â·  8Comments  Â·  Source: duckduckgo/zeroclickinfo-goodies

It looks like it gives the same output each time: https://v.usetapes.com/0CPjlCD0Lo

Is this something that can be fixed by srand() like in https://github.com/duckduckgo/zeroclickinfo-goodies/blob/3cc434822c56407779d8cc07b0fa6be7cc6b96e9/lib/DDG/Goodie/Password.pm?

CC @moollaza



IA Page: https://duck.co/ia/view/passphrase

Bug Low-Hanging Fruit Medium

Most helpful comment

On 10 Aug 2016, at 8:02, Zaahir Moolla wrote:

@jagtalon yes, we need to call srand() in the handle function.

@duckduckgo/duckduckhack-contributors would anyone be interested in
fixing this IA? The solution is very simple.

I’ll take it.

We just need to add srand() to the handle function like we do in
Password.pm

Except it’s not done properly there either; based on previous
conversation about use of srand, unless it’s been changed recently.

I’ll go back and re-red the conversation about seeding random
generator; memory says differing opinions weren’t resolved. I’ll
find the issue and link it here.

As well, this IA needs a maintainer so it would be best if the
volunteer would be willing to become the maintainer for this IA.

I’m happy to take maintainership as well.

Charlie

 Charlie Garrison                   <[email protected]>
 Garrison Computer Services      <http://www.garrison.com.au>
 PO Box 380
 Tumbarumba NSW 2653  Australia

Conundrum

All 8 comments

@jagtalon yes, we need to call srand() in the handle function.

@duckduckgo/duckduckhack-contributors would anyone be interested in fixing this IA? The solution is very simple.

We just need to add srand() to the handle function like we do in Password.pm

As well, this IA needs a maintainer so it would be best if the volunteer would be willing to become the maintainer for this IA.

On 10 Aug 2016, at 8:02, Zaahir Moolla wrote:

@jagtalon yes, we need to call srand() in the handle function.

@duckduckgo/duckduckhack-contributors would anyone be interested in
fixing this IA? The solution is very simple.

I’ll take it.

We just need to add srand() to the handle function like we do in
Password.pm

Except it’s not done properly there either; based on previous
conversation about use of srand, unless it’s been changed recently.

I’ll go back and re-red the conversation about seeding random
generator; memory says differing opinions weren’t resolved. I’ll
find the issue and link it here.

As well, this IA needs a maintainer so it would be best if the
volunteer would be willing to become the maintainer for this IA.

I’m happy to take maintainership as well.

Charlie

 Charlie Garrison                   <[email protected]>
 Garrison Computer Services      <http://www.garrison.com.au>
 PO Box 380
 Tumbarumba NSW 2653  Australia

Conundrum

The perldoc's says that srand doesn't need to be called explicitly since it's called when rand is called.

If srand is not called explicitly, it is called implicitly without a parameter at the first use of the rand operator.

With the passphrase script, I get around 3-4 unique passphrases that end up then repeating between reloads. So there is some varying entropy, but I'm not sure why it ends up repeating itself eventually.

I don't get duplicate results running these scripts from duckpan.

On 10 Aug 2016, at 9:42, David wrote:

With the passphrase script, I get around 3-4 unique passphrases that
end up then repeating between reloads. So there is some varying
entropy, but I'm not sure why it ends up repeating itself eventually.
 

Hitting different processes with different requests. If you send two
requests which get handled by two different processes which are both
being seeded for the first time; there is good possibility of getting
same response.

Which is why something other than srand() is needed to seed rand.
But don’t want to seed with each request either.

Here is an example of the wrong way (seeding with each request):

My attempt at fixing that:

I used rand_int function from Data::Entropy::Algorithms, but any
package which will “guarantee” random numbers and handle srand for
us should work equally as well.

And the previous conversations on this issue:

- https://github.com/duckduckgo/zeroclickinfo-goodies/issues/1285

https://github.com/duckduckgo/zeroclickinfo-goodies/pull/1956#issuecomment-183178624

My recommendation is still PR#179, although it may need to be modified
to use something other than Data::Entropy::Algorithms (as discussed in
the PR).

 Charlie Garrison                   <[email protected]>
 Garrison Computer Services      <http://www.garrison.com.au>
 PO Box 380
 Tumbarumba NSW 2653  Australia

Conundrum

https://github.com/duckduckgo/duckduckgo/pull/179 was closed in March. @cngarrison, do you think it should be re-opened?

bump

Could we import Crypt::Random for this?

https://perlmaven.com/generate-random-numbers-in-perl-with-rand

Looking at it again, the password goodie has the same problem. If you refresh the page quick enough you'll get the same password 2 or even 3 times in a row.

bad_passwords

I'll be trying to make this work with Crypt::URandom and maybe make a pull request.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

sam09 picture sam09  Â·  17Comments

moollaza picture moollaza  Â·  12Comments

rushsteve1 picture rushsteve1  Â·  13Comments

moollaza picture moollaza  Â·  13Comments

GuiltyDolphin picture GuiltyDolphin  Â·  12Comments