Xref: utzoo comp.unix.wizards:12310 news.sysadmin:1347
Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!bloom-beacon!think!barmar
From: barmar@think.COM (Barry Margolin)
Newsgroups: comp.unix.wizards,news.sysadmin
Subject: Re: Worm/Passwords
Message-ID: <31031@think.UUCP>
Date: 11 Nov 88 17:07:31 GMT
References: <22401@cornell.UUCP> <4627@rayssd.ray.com> <251@ispi.UUCP>
Sender: news@think.UUCP
Reply-To: barmar@kulla.think.com.UUCP (Barry Margolin)
Organization: Thinking Machines Corporation, Cambridge MA, USA
Lines: 26

In article <251@ispi.UUCP> jbayer@ispi.UUCP (id for use with uunet/usenet) writes:
>It is possible to adopt a single system, if that system is random.

As has been pointed out in many papers on security, random passwords
open up a big security hole.  They are hard to remember, so users are
more likely to write them down.  One of the rules of good password
management is "Don't write your password anywhere."

Multics has a password generator that tries to help in this regard.
Rather than generating a completely random string of characters, it
generated fake words.  It has tables of syllables and digraphs, and
some rules for which syllables are likely to follow others in a
pronounceable word (probably based on a statistical analysis of
English).  The syllables are then combined randomly, with skewing
based on the combination rules.  These nonsense words are easier to
remember than completely random strings.

A problem with this Multics feature is that a cracker who knows that a
user uses a generated password could probably generate a list of all
the generated words in order of likely generation.

Barry Margolin
Thinking Machines Corp.

barmar@think.com
{uunet,harvard}!think!barmar