Teaser: kbmMW safety first… Random numbers and great passwords!

Usually Delphi’s built in 32 bit random generator is sufficient for most tasks, like generating random numbers for some tests, or a game or something similar. However the random generator is, if one focus on security, not strong enough to be used for cryptographic uses, like password generation.

Random numbers

In next version of kbmMW, a set of random number generators has been added for generating 32bit and 64bit random values in addition to supporting the standard Delphi Randon method.

32 bit random generators in kbmMW:

  • TkbmMWRandomDelphi
  • TkbmMWRandomPCGUInt32
  • TkbmMWRandomMersenneTwisterUInt32

64 bit random generators in kbmMW:

  • TkbmMWRandomSplitMix
  • TkbmMWRandomXoroshiro128Plus
  • TkbmMWRandomXoroshiro1024
  • TkbmMWRandomMersenneTwisterUInt64

They all follow the same principle, and it’s easy to replace one with another, or even add another custom random generator.

To see the randomness of the generators, one can make a lot of random X and Y values and plot them in a fine masked grid. A perfectly random function (in reality that does not exist in current computers) ought to spread the numbers fairly evenly across the grid.

2017-02-01-01_46_40-xbox
The 32 bit standard Delphi random plot

2017-02-01-01_48_03-xbox
The 32 bit PCG random plot

2017-02-01-01_49_17-xbox
The 32 bit Mersenne Twister random plot

2017-02-01-01_50_42-xbox
The 64 bit split mix random plot

2017-02-01-01_52_53-xbox
The 64 bit Xoroshiro 128+ random plot

2017-02-01-02_14_37-xbox
The 64 bit Xoroshiro1024 random plot

2017-02-01-02_17_03-xbox
The 64 bit Mersenne Twister random plot

As can be seen, the Delphi random generator is pretty bad in producing values across the entire value space, while the others show a much more even spread as would be expected by a fair random generator.

Choosing a random number generator for a particular purpose can be difficult. One has to weigh in speed vs randomness vs full cycle time and other factors. Basically the perfect randon number generator do not exist at this time for regular computers.

These pages explains a bit about their weaknesses and strengths:
http://xoroshiro.di.unimi.it/
http://www.pcg-random.org/

But at least now you have a better choice. And in fact this brings us to the next section. Generation of strong passwords.

Strong passwords

Most software today supports some sort of user login, where a password is required. kbmMW certainly supports that, through for example the authorization manager.

But the challenge is to force users to use some good passwords, which they still have a chance to remember without writing down.

As a first for Delphi, kbmMW now also supports multiple password generator algorithms to encourage use of strong passwords.

kbmMW comes with two password generators and a framework on which new custom password generators can be built:

  • TkbmMWMixerPasswordGen
  • TkbmMWKoremutakePasswordGen

The Mixer password generator supports selecting the minimum and maximum number of digits, minimum and maximum number of punctuation characters, unicase or mixed case, and minimum length of a generated password.

The Koremutake password generator generates a random 64 bit value, and converts that 64 bit value into a string consisting of two and three character character groups, forming a semi pronounceable password.

Using the password generators is very simple:

var
   pg:TkbmMWMixerPasswordGen;
begin
     pg:=TkbmMWMixerPasswordGen.Create;
     try
        // Optionally set length, digits, punctuation and case settings.
        // Default a password will be minimum 8 characters long,
        // contain from 1 to 4 digits, no punctuation characters
        // and use mixed case alpha characters.
        Memo1.Lines.Add(pg.Generate);
     finally
        pg.Free;
     end;
end;

This could output: 69vcRPhw

var
   pg:TkbmMWKoremutakePasswordGen;
begin
     pg:=TkbmMWKoremutakePasswordGen.Create;
     try
        Memo1.Lines.Add(pg.Generate);
     finally
        pg.Free;
     end;
end;

This could output: GUMIPAVYGRYTIFOFYSI

We will continue to monitor the various options for password generators, and provide support for them as we find them interesting.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s