Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!uwmcsd1!marque!uunet!mcvax!ukc!strath-cs!jim
From: jim@cs.strath.ac.uk (Jim Reid)
Newsgroups: comp.protocols.tcp-ip
Subject: Re: passwords
Message-ID: <1263@stracs.cs.strath.ac.uk>
Date: 16 Nov 88 17:19:07 GMT
References: <8811090956.AA07706@LANAI.MCL.UNISYS.COM>
Reply-To: jim@cs.strath.ac.uk
Organization: Comp. Sci. Dept., Strathclyde Univ., Scotland.
Lines: 29

In article <8811090956.AA07706@LANAI.MCL.UNISYS.COM> perry@MCL.UNISYS.COM (Dennis Perry) writes:
>.... description of a password generating program
>I stongly encourage everyone to use such a password generator and not
>allow people to generate their own passwords.  

This is probably not a good idea. Programs which generate passwords can
all too easily generate a small number of potential passwords. All that
an intruder needs to do is establish the algorithm used (no doubt based
on a pseudo-random number generator) and then create a list of all the
potential passwords that the program generates. That list - which might
be quite small (say 50-100,000) - could then be encrypted and compared
with the entries in the password file. This would only take a few hours
CPU time to do. If all the user's passwords were forcibly chosen by a
password generating program, the intruder would get every password on
that computer!

Insisting that people use password generating programs (or enforcing
password ageing for that matter) is potentially dangerous. They give the
illusion of security (having frequent password changes and/or "random"
passwords) when in fact the choice of passwords in use is quite likely
to be sub-optimal.

		Jim
-- 
ARPA:	jim%cs.strath.ac.uk@ucl-cs.arpa, jim@cs.strath.ac.uk
UUCP:	jim@strath-cs.uucp, ...!uunet!mcvax!ukc!strath-cs!jim
JANET:	jim@uk.ac.strath.cs

"JANET domain ordering is swapped around so's there'd be some use for rev(1)!"