Path: utzoo!attcan!uunet!seismo!sundc!pitstop!sun!decwrl!labrea!rutgers!deimos!uxc!uxc.cso.uiuc.edu!m.cs.uiuc.edu!p.cs.uiuc.edu!gillies
From: gillies@p.cs.uiuc.edu
Newsgroups: comp.protocols.tcp-ip
Subject: Re: passwords
Message-ID: <93400010@p.cs.uiuc.edu>
Date: 16 Nov 88 19:09:00 GMT
Lines: 20
Nf-ID: #R:<8811090956.AA07706@LANAI.MCL.UN:-41:p.cs.uiuc.edu:93400010:000:931
Nf-From: p.cs.uiuc.edu!gillies    Nov 16 13:09:00 1988


Password generators are a *nice idea*.  But I wouldn't rush out and
start using them without some thorough testing:

(1) Can you give me *an estimate* of the number of pronounceable
8-character words?  Will this program generate all of them?  If not,
exactly how many different words will it generate?

(2) What if I know, to within 1 minute, the time of creation of the
login (or last password change), and the password/random number
algorithm.  Can I exhaustively search for the password, assuming the
random number generator gets its seed from the clock?

(3) How *random* is the random number generator?  What is the period
of the generator?  What is the approximate "loss of randomness" when
mapping this number onto a password?  (i.e. if the map is not "onto",
on the average, how many seeds result in a given password?)

(4) Are some passwords generated much more frequently than others, by
this password generation program?