# Is this secure?

Robert Kern robert.kern at gmail.com
Wed Feb 24 04:09:36 CET 2010

```On 2010-02-23 20:43 , Steven D'Aprano wrote:
> On Wed, 24 Feb 2010 02:40:13 +0000, Steven D'Aprano wrote:
>
>> On Tue, 23 Feb 2010 15:36:02 +0100, mk wrote:
>>
>>> The question is: is this secure? That is, can the string generated this
>>> way be considered truly random?
>>
>> Putting aside the philosophical question of what "truly random" means, I
>> presume you mean that the letters are uniformly distributed. The answer
>> to that is, they don't like uniformly distributed.
>
> Er, they don't *look* uniformly distributed.
>
> (Of course, being random, perhaps they are and I just got unlucky.)

You'd have to be very, *very* unlucky to get a sample of that size so far from
uniformly distributed if the generating process actually were uniform.

Of course, uniformity isn't really necessary. You just need enough entropy in
the distribution (amongst other things like protection of the seed from being
known or guessed). A skewed distribution of characters is perfectly fine
provided that you had enough characters in the password to meet the desired
entropy requirement. A skewed distribution does require more characters to meet
a specified entropy requirement than a uniform distribution, of course.

That said, for a naive strategy like "pick an independent random character,
repeat", you should just use a uniform distribution. It makes the analysis
easier. Worthwhile generators that give skewed distributions usually do so for a
good reason, like generating pronounceable passwords.

--
Robert Kern

"I have come to believe that the whole world is an enigma, a harmless enigma
that is made terrible by our own mad attempt to interpret it as though it had
an underlying truth."
-- Umberto Eco

```