Path: utzoo!attcan!uunet!lll-winken!lll-tis!ames!umd5!uvaarpa!mcnc!rti!trt From: trt@rti.UUCP (Thomas Truscott) Newsgroups: comp.unix.questions Subject: Re: Password Choices Summary: Never ever trust a password generating program Message-ID: <2378@rti.UUCP> Date: 20 Jul 88 04:55:21 GMT References: <16562@brl-adm.ARPA> Organization: Research Triangle Institute, RTP, NC Lines: 53 All the password generators that I have ever seen can be broken by straightforward attacks. Password generators are dangerous in the same way that weak cipher systems are dangerous -- they create a false sense of security. A truly *random* password generator would be fine, the problem is that randomness is hard to come by. Consider the typical password generating program: srand(time((time_t *)0))); /* seed "random" number generator */ .... generate "random" password ... srand (or srandom) accepts only a 32 bit seed, which means this program generates *at most* 2^32 different passwords, whereas DES accepts a 56 bit key. So right off we have lost considerable "randomness". (This type of problem is mentioned in a cryptic paragraph in "Password Security -- A Case History" by Robert Morris and Ken Thompson.) It is also very misleading to use srand/rand since the time-of-day is our only source of randomness. For example, the hexadecimal representation of the time-of-day is 8 characters long and can be used directly as the generated password. Please, never ever use srand/rand in a password generating program! Much worse, the time of day is *highly* predictable. If a password's creation time can be guessed within a few hours it can be found out in just a minute or so of computation. (This is particularly easy if one can periodically snapshot the list of encrypted passwords.) It is possible to do even worse -- one password generator posted to Usenet produced only about 1000 different passwords. One can do much better by using other semi-random values such as the current tv_usec (gettimeofday), millitm (ftime), process id (getpid), and so on. But that is not enough. Try this: ask the user to press and then perform a busy loop such as: long count = 0; while (!interrupted && ++count < HUGE) ; /* (If count >= HUGE the user wasted too much cpu time. Retry.) */ /* (If the high-order bits are zero we did not loop enough. Retry.) */ /* low-order 16 bits of count are fairly random now */ Do this three times to obtain 48 semi-random bits. XOR into that the various semi-random values mentioned above. Now generate an 8 character long password by using 6 bits per character ("base-64" characters ala uuencode). Post THAT to the net. Please. I promise I will use it. Help stamp out bogus password generators! Tom Truscott