Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!wasatch!cs.utexas.edu!usc!apple!well!nagle
From: nagle@well.UUCP (John Nagle)
Newsgroups: comp.unix.wizards
Subject: Re: PASSWORD GUESSING
Message-ID: <13252@well.UUCP>
Date: 21 Aug 89 05:54:17 GMT
References: <20648@adm.BRL.MIL> <19168@mimsy.UUCP>
Reply-To: nagle@well.UUCP (John Nagle)
Lines: 18


      Some years ago, I was told by someone at the Computer Security
Center that guidance on how to generate random (not psuedorandom)
passwords under various operating systems would be forthcoming.  Did
this ever happen?  

      An adequate approach is to get bits from places like the low-order
bits of a fast clock, angular address registers of disk controllers,
horizontal position registers of display controllers, and other rapidly
changing sources.  Such schemes, though, need to be looked at carefully
by people who have some idea of cryptographic key generation.  Any
deterministic scheme is no good, of course.  

      I've seen code posted which uses the output from time(II) as
input to a password generator.  Anything that works that way is
easy to crack.  

					John Nagle