[Esapi-user] question about secure usage of randomizer class in .NET version of ESAPI

Yi Li yi.li26 at gmail.com
Thu Oct 28 15:31:29 EDT 2010


> I plan to use the randomizer class in .NET ESAPI and will appreciate if
> some insight could be provided.
>
> my objective:
>  to generate random password in large batch 10 million plus with the
> randomizer class. these passwords need to be practically unpredictable
> (random).
> my concern:
>    The underlying service provider in use is Microsoft cryptographic
> provider, which passes FIPS 140-2 validation.
>    I plan to call the randomizer's method in a loop (10 million plus
> iteration) to generate these password. As I understand, the randomness of
> the random numbers depends on the initial state (seed) of the PRNG. So if I
> call 10 millions plus iteration of the generator (which takes about 30
> minutes to complete on my box), will this cause all these generated values
> using the same initial state and thus compromise the randomness? if the
> concern is valid, how should i use the randomizer so to achieve the
> objective?
> thanks in advance.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20101028/aacefb3f/attachment.html 


More information about the Esapi-user mailing list