Geek Answers Handbook

Is the security risk using parts of the GUID as random passwords?

When users create an account in my web application, I generate a GUID and use the first 8 characters as their password, which is then emailed.

Is there a security risk that I ignore when using GUIDs as passwords? I reviewed the question Are GUIDs good passwords? but this question is about personal passwords, not random / generated passwords. Ideally, users will log in and change their password if they wish.

+4
source share
6 answers

Using GUID as passwords is a very bad idea. GUID generated in a very predictable and well-defined way. In other words, if you have enough information, this will allow an attacker to predict the passwords of other users.

Predictable and clearly defined is the exact opposite of what you want in the password generator.

+8
source

Yes, if you don’t know exactly how the GUID is built. For example, some GUIDs associate a host MAC address with a GUID. If you happen to use these bits, then it compromises most of the bit space for a "random" password.

Simply put, GUIDs may be unique, but they are not necessarily random.

+4
source

"Cryptanalysis of the WinAPI GUID generator shows that since the sequence of V4 GUIDs is pseudo-random, with full understanding of the internal state, previous and next values ​​can be predicted." http://en.wikipedia.org/wiki/Globally_unique_identifier

I would not use it. After all, it’s not so difficult to use a random number generator that is designed to be as random as possible, rather than trying to guarantee global uniqueness.

+2
source

This article says it does not use it.

+1
source

The GUID includes several options; some have parts that are predictable.

On the other hand, it is very simple to create random numbers.

Why use dubious technique when a safe alternative is easily available?

+1
source

Using a piece of GUID or even all of this is a very bad idea. Even if most of them are random, there is no guarantee that any particular part will be.

I'm not sure that using the GUID hash will have a lot of problems, and even better a hash that combines the GUID with some other source of randomness (for example, you can hash the program startup time and then generate an access code, returning the hash part of the previous hash and a new GUID). If there is any randomness in the GUID generation, the hash entropy should increase with each iteration. Please note that the access code should not show the entire hash value; some of them should be kept as a secret internal state.

0
source

More articles:


All Articles