Xref: utzoo comp.unix.wizards:12565 news.sysadmin:1560
Path: utzoo!utgpu!watmath!clyde!att!mtuxo!mtgzy!mtgzz!avr
From: avr@mtgzz.att.com (a.v.reed)
Newsgroups: comp.unix.wizards,news.sysadmin
Subject: Re: Worm/Passwords
Summary: You call THAT a password?
Message-ID: <4668@mtgzz.att.com>
Date: 17 Nov 88 23:01:42 GMT
References: <22401@cornell.UUCP> <4627@rayssd.ray.com> <251@ispi.UUCP>
Organization: AT&T, Middletown NJ
Lines: 20

In article <251@ispi.UUCP>, jbayer@ispi.UUCP (id for use with uunet/usenet) writes:
> It is possible to adopt a single system, if that system is random.  For 
> example, I have included below a random password generating program, written
> for SYS V, but I have been told that it does compile on BSD (please, no flames)
> BSD systems may have to change the lines with srand48() and lrand48().

And after you generate this random "pasword", no human user will be able
to remember it. And so your users will write the "passwords" down, paste
them on their terminals, keep them in the top drawers of their desks,
carry them in their pockets and lose them in the cafeteria - do I need
to go on? If it is written down, *IT IS NOT A SECURE PASSWORD*. And if
it cannot be reliably *remembered* by the average user, it *WILL* be
written down. The world's least secure systems are those whose security
is managed by the "I program computers, don't bother me with human
psychology" types. Yes, there are good programs that generate passwords
which incorporate a random element but can be remembered by humans
anyway. To design such a program, you have to know not only what is
difficult to crack, but also what is easy for people to remember. 
(Hint: ever used AT&T Mail?)
					Adam Reed (avr@mtgzz.ATT.COM)