shawnmclean
major issue with entropy in randompasswordgenerator
FYI, that RandomPasswordGenerator code you borrowed has a MASSIVE limitation.
Because it seeds the Random() on each call, there are only 2 billion unique passwords that it will generate with same password parameters.
Ironically, the code uses RNGCrypto only to generate the seed, which then sets the System.Random object into a predictable state. The comment above it says "now this is real randomization" :S
Below is a test that demonstrates the issue. Due to the birthday paradox, we get a collision usually around the 50k mark.
The easiest fix is to make the Random object static, but since this is a crypto library, the better solution would be to use RNGCyrpto to generate the password instead of System.Random.
[Test]
public void RandomPassword_Actually_Generates_Random_Passwords()
{
HashSet<string> passwords = new HashSet<string>();
for (int i = 0; i < int.MaxValue; i++)
{
string password = RandomPassword.Generate(100, 100);
if (passwords.Contains(password))
{
Assert.Fail("Password collision after " + i + " iterations");
}
passwords.Add(password);
}
}
