Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!samsung!uunet!indetech!cirrus!dhesi From: dhesi@cirrus.com (Rahul Dhesi) Newsgroups: comp.org.eff.talk Subject: Re: Should we let students run COPS to get each other's passwords? Message-ID: <1991Jun18.205258.25918@cirrus.com> Date: 18 Jun 91 20:52:58 GMT References: <1991Jun14.193545.24869@athena.cs.uga.edu> <1991Jun17.144526.16230@ddsw1.MCS.COM> <27141@as0c.sei.cmu.edu> Sender: news@cirrus.com Organization: Cirrus Logic Inc. Lines: 32 In <27141@as0c.sei.cmu.edu> df@sei.cmu.edu (Dan Farmer) writes: *Any* word that is found in a dictionary can be easily guessed... The other day, while I was being shaved by my barber (who is, incidentally, clean-shaven himself), I happened to think about word lists used for screening out guessable passwords. It occurred to me that, as storage costs get lower, online word lists are getting bigger and bigger. My own personal CD-ROM collection of meaningful words (in 17 languages) is huge, and includes most possible character sequences that you might want to use as passwords. As a result, the number of 8-character passwords that are not guessable is becoming smaller and smaller. Checking to make sure that a password used is not in any online word lists can be very time-consuming. It is more efficient to generate in advance what I call a LOWNIAL (list of words not in any list). Ideally you would use a modified /bin/passwd program that would accept a password only if it was found in the online LOWNIAL, and reject all others. Would you like to see the LOWNIAL database as a commercial product? How much would you pay for it? Should it be accompanied by the source code for a /bin/passwd program? Also, an interesting philosphical question occurs to me: If there were more than one vendor selling a LOWNIAL, should each vendor's LOWNIAL exclude all words occurring in all other vendors' LOWNIALs? -- Rahul Dhesi UUCP: oliveb!cirrusl!dhesi