Path: utzoo!utgpu!watmath!clyde!att!occrsh!occrsh.ATT.COM!scsmo1.UUCP!tim
From: tim@scsmo1.UUCP
Newsgroups: comp.unix.wizards
Subject: Re: Password security - Another idea
Message-ID: <2400004@scsmo1.UUCP>
Date: 31 Dec 88 04:05:00 GMT
References: <228@sea375.UUCP>
Lines: 21
Nf-ID: #R:sea375.UUCP:-22800:scsmo1.UUCP:2400004:000:982
Nf-From: scsmo1.UUCP!tim    Dec 30 22:05:00 1988


One thing to keep in mind is that a valid password may not be the same one
the user set.  For example the passwords iopwwe and wer4543 may encrypt to
the same string.  The is becuase of the DES method is nonreversable,  you
can find a valid password but you can't be sure it is the correct one.

If you generate a 56 bit key from a phrase, all that happenes is that
you generate more strings that will work.  I think that the number of strings

I like the idea of a 6+ char password with a non-alpha character in it works
better as there are about 6.63e15 combinations with about 2.2e14 that most
users might pick.  The string approach has more combinations 7.1e139 but 
most people have a <20k word vocabulary, will use a common phrase, and 2^56
is 7.2e16.  I would guess that the number of real strings to search is around
100,000.

The other drawback is that the string is easy to watch someone type.

						tim hogard
						tim@scsmo1.uucp
						Soil Conservaion Service USDA