Usually Delphi’s built in 32 bit random generator is sufficient for most tasks, like generating random numbers for some tests, or a game or something similar. However the random generator is, if one focus on security, not strong enough to be used for cryptographic uses, like password generation.
Random numbers
In next version of kbmMW, a set of random number generators has been added for generating 32bit and 64bit random values in addition to supporting the standard Delphi Randon method.
32 bit random generators in kbmMW:
- TkbmMWRandomDelphi
- TkbmMWRandomPCGUInt32
- TkbmMWRandomMersenneTwisterUInt32
64 bit random generators in kbmMW:
- TkbmMWRandomSplitMix
- TkbmMWRandomXoroshiro128Plus
- TkbmMWRandomXoroshiro1024
- TkbmMWRandomMersenneTwisterUInt64
They all follow the same principle, and it’s easy to replace one with another, or even add another custom random generator.
To see the randomness of the generators, one can make a lot of random X and Y values and plot them in a fine masked grid. A perfectly random function (in reality that does not exist in current computers) ought to spread the numbers fairly evenly across the grid.
|
|
|
|
|
|
|
As can be seen, the Delphi random generator is pretty bad in producing values across the entire value space, while the others show a much more even spread as would be expected by a fair random generator.
Choosing a random number generator for a particular purpose can be difficult. One has to weigh in speed vs randomness vs full cycle time and other factors. Basically the perfect randon number generator do not exist at this time for regular computers.
These pages explains a bit about their weaknesses and strengths:
http://xoroshiro.di.unimi.it/
http://www.pcg-random.org/
But at least now you have a better choice. And in fact this brings us to the next section. Generation of strong passwords.
Strong passwords
Most software today supports some sort of user login, where a password is required. kbmMW certainly supports that, through for example the authorization manager.
But the challenge is to force users to use some good passwords, which they still have a chance to remember without writing down.
As a first for Delphi, kbmMW now also supports multiple password generator algorithms to encourage use of strong passwords.
kbmMW comes with two password generators and a framework on which new custom password generators can be built:
- TkbmMWMixerPasswordGen
- TkbmMWKoremutakePasswordGen
The Mixer password generator supports selecting the minimum and maximum number of digits, minimum and maximum number of punctuation characters, unicase or mixed case, and minimum length of a generated password.
The Koremutake password generator generates a random 64 bit value, and converts that 64 bit value into a string consisting of two and three character character groups, forming a semi pronounceable password.
Using the password generators is very simple:
var pg:TkbmMWMixerPasswordGen; begin pg:=TkbmMWMixerPasswordGen.Create; try // Optionally set length, digits, punctuation and case settings. // Default a password will be minimum 8 characters long, // contain from 1 to 4 digits, no punctuation characters // and use mixed case alpha characters. Memo1.Lines.Add(pg.Generate); finally pg.Free; end; end;
This could output: 69vcRPhw
var pg:TkbmMWKoremutakePasswordGen; begin pg:=TkbmMWKoremutakePasswordGen.Create; try Memo1.Lines.Add(pg.Generate); finally pg.Free; end; end;
This could output: GUMIPAVYGRYTIFOFYSI
We will continue to monitor the various options for password generators, and provide support for them as we find them interesting.