Path: utzoo!utgpu!watmath!clyde!att!pacbell!ames!nrl-cmf!ukma!cwjcc!hal!ncoast!allbery From: allbery@ncoast.UUCP (Brandon S. Allbery) Newsgroups: comp.unix.wizards Subject: Re: Worm/Passwords Message-ID: <13204@ncoast.UUCP> Date: 3 Dec 88 17:51:14 GMT References: <22401@cornell.UUCP> <4627@rayssd.ray.com> <251@ispi.UUCP> <205@twwells.uucp> <8981@smoke.BRL.MIL> <220@twwells.uucp> <8998@smoke.BRL.MIL> Reply-To: allbery@ncoast.UUCP (Brandon S. Allbery) Followup-To: comp.unix.wizards Organization: Cleveland Public Access UN*X, Cleveland, Oh Lines: 80 As quoted from <8998@smoke.BRL.MIL> by gwyn@smoke.BRL.MIL (Doug Gwyn ): +--------------- | In article <220@twwells.uucp> bill@twwells.UUCP (T. William Wells) writes: | >Using a better database might create more or better passwords. And | >each user could have his own database; this makes knowledge of the | >travesty algorithm useless for guessing someone's password. | | I didn't mean to imply that this approach wasn't viable, but I | couldn't resist the experiment and thought (since the posted travesty | program wasn't runnable on anything except MS-DOS) that an illustration | of what "travesty" produces might be informative to many readers. | | Indeed, use of samples of a natural language itself as a database | for producing statistically similar "random" text is a good idea. | I seem to recall one of the Computer Recreations columns in | Scientific American a couple of years ago exploring this method. | | Certainly a larger, more varied database would have produce a better | selection of lasswords. +--------------- Since I seem to have started this thread, let me point out that I never expected that "pwgen" was perfect. Indeed, the version I posted was only a first approximation. (I should mention that the phoneme and spelling databases were culled from a number of comp.unix.wizards articles. ;-) I'm not going to leave "pwgen" as is; I'm going to experiment with more phonemes, combinations of same, and random number generation. It was pointed out to me that my srand() call was fairly easy to predict; true, but it was just an example; add in such things as a checksum of the contents of the process table and etc. and it becomes impossible to duplicate the RNG seed without a snapshot of the entire system at the time the program is run. Hardware random numbers (i.e. "/dev/static", which is just a A/D converter attached to a radio receiver tuned to a frequency filled with static ;-) are another possibility. Not that I can test that last on ncoast.... (Note the smiley; I can think of a fairly easy way for a hardware hacker to break it, and a good reason why it wouldn't work anyway. It's just an idea for people to think about, to get the creative juices flowing. For that matter, so is pwgen.) At least one person has expressed a desire to add pwgen to the UN*X his company is shipping. One word to all who are contemplating this: DON'T. Pwgen is a first attempt at code to implement an idea; I don't claim it to be the best way to do it, and it has a number of problems as is. (The biggest may be the databases. Look at them and tell me how easy it is to change them, either to add phonemes or spellings or to "nationalize" it. When I put the databases together I decided that the next upgrade would include a database generator.) Nor do I claim that the idea itself is in either a final or a useable form. Pwgen DOES work to some extent, but I'd hate to see a large number of sites try to base their security on it as is. Just in case anyone's interested, here's a run of "pwgen 8 96". This was run on ncoast, with its less-than-useable rand(); I will recompile with another RNG and see how it affects the output. (Press "n" if you aren't interested...) shetheg ehooshi ooreyov uudotush fequasi ifoomih etequam aroochoo ronuthi phelide ngaehoo ngoomoh ushudath rongovi ipalema uchukoe tixoora chibith hooburi komoofo koosiqu tingofi soyichoo goothur soovire epaethoo thidoqu meidong oojaqui uchokix xithabo jogirath tofiqua nuphadi mooloot jithulu neoouse rofunequ ratheth nerekos uboroaqu quiloop giligath nofedij yoteeub ooxekam mothoob achaniu senohev aeboove mebokeu quigooy gujinoo chetone ixoosil ngadeyi nihochi modaepu peraboth ngitooth hoothoch oudutix ichafea boyothe joonguf patuxong egooxoo thotahu oosoipe choongi ogootha hiheeip hogoojee ipaedaa thipair hipusab ehoothae thilise oopuloo isimequ agiuveb singaab oojasho iyefooj ootuoov thaniay revisai akichoo vojeting ngiremae rikakee nathehe mithisi beaepin xeruvep ihayouu I see a few problems in here, like a tendency to overuse "oo"; since "pwgen" has a few bugs, it'll be interesting to see what happens when I fix them. ++Brandon -- Brandon S. Allbery, comp.sources.misc moderator and one admin of ncoast PA UN*X uunet!hal.cwru.edu!ncoast!allbery ncoast!allbery@hal.cwru.edu allberyb@skybridge.sdi.cwru.edu allbery@uunet.uu.net comp.sources.misc is moving off ncoast -- please do NOT send submissions direct Send comp.sources.misc submissions to comp-sources-misc@.