Password Choices
Thomas Truscott
trt at rti.UUCP
Wed Jul 20 14:55:21 AEST 1988
All the password generators that I have ever seen
can be broken by straightforward attacks.
Password generators are dangerous in the same way
that weak cipher systems are dangerous --
they create a false sense of security.
A truly *random* password generator would be fine,
the problem is that randomness is hard to come by.
Consider the typical password generating program:
srand(time((time_t *)0))); /* seed "random" number generator */
.... generate "random" password ...
srand (or srandom) accepts only a 32 bit seed,
which means this program generates *at most* 2^32 different passwords,
whereas DES accepts a 56 bit key.
So right off we have lost considerable "randomness".
(This type of problem is mentioned in a cryptic paragraph
in "Password Security -- A Case History" by Robert Morris and Ken Thompson.)
It is also very misleading to use srand/rand
since the time-of-day is our only source of randomness.
For example, the hexadecimal representation of the time-of-day
is 8 characters long and can be used directly as the generated password.
Please, never ever use srand/rand in a password generating program!
Much worse, the time of day is *highly* predictable.
If a password's creation time can be guessed within a few hours
it can be found out in just a minute or so of computation.
(This is particularly easy if one can periodically snapshot
the list of encrypted passwords.)
It is possible to do even worse -- one password generator
posted to Usenet produced only about 1000 different passwords.
One can do much better by using other semi-random
values such as the current tv_usec (gettimeofday), millitm (ftime),
process id (getpid), and so on. But that is not enough.
Try this: ask the user to press <interrupt>
and then perform a busy loop such as:
long count = 0;
while (!interrupted && ++count < HUGE)
;
/* (If count >= HUGE the user wasted too much cpu time. Retry.) */
/* (If the high-order bits are zero we did not loop enough. Retry.) */
/* low-order 16 bits of count are fairly random now */
Do this three times to obtain 48 semi-random bits.
XOR into that the various semi-random values mentioned above.
Now generate an 8 character long password by using 6 bits per character
("base-64" characters ala uuencode).
Post THAT to the net. Please. I promise I will use it.
Help stamp out bogus password generators!
Tom Truscott
More information about the Comp.unix.questions
mailing list