Worm/Passwords

Piercarlo Grandi pcg at aber-cs.UUCP
Sat Nov 26 06:03:43 AEST 1988


In article <13169 at ncoast.UUCP> allbery at ncoast.UUCP (Brandon S. Allbery) writes:
    As quoted from <4668 at mtgzz.att.com> by avr at mtgzz.att.com (a.v.reed):
    +---------------
    | psychology" types. Yes, there are good programs that generate passwords
    | which incorporate a random element but can be remembered by humans
    | anyway. To design such a program, you have to know not only what is
    | difficult to crack, but also what is easy for people to remember. 
    +---------------
    
    I once hacked together a program that used tables of letters which commonly
    followed one another in English to create random but (usually) pronounceable
    passwords.  I don't know how anyone else's brain works (heck, I'm fuzzy on
    how *mine* works ;-) but I find pronounceable passwords MUCH easier to
    remember.  The program is dust now, along with the computer it ran on (OSI
    SuperBoard II, 8K BASIC!) but I should be able to recreate the program with
    a little thinking.
    
    A possible enhancement is to use phonemes instead of letters, thus
    increasing the chances of a pronounceable password.  It could be combined
    with a phoneme-to-letter table which could randomly (or maybe not so
    randomly, depends on how much time I want to put in it) choose between
    alternative representations (f/ph, etc.) of a phoneme.

As has been discussed at length and conclusively, generating by algorithm
menmonic passwords is a very bad idea, because:

[1] It restricts unconscionably the key space (usually to a few thousand
or at best dozen thousand entries).

[2] If the algorithm used to generate the passwords get known, it can be
used to obtain a complete list of all possibly passwords. This gives a
penetrator confidence that he now knows 100% of the passwords on 100%
of the sites that use the algorithm.

[3] If the penetrator does not the algorithm, he can still usually deduce it
quite easily and accurately because of [1].

Manual generation of passwords also suffers from problem [1], but at least
the penetrator does not enjoy certainty [2].
-- 
Piercarlo "Peter" Grandi			INET: pcg at cs.aber.ac.uk
Sw.Eng. Group, Dept. of Computer Science	UUCP: ...!mcvax!ukc!aber-cs!pcg
UCW, Penglais, Aberystwyth, WALES SY23 3BZ (UK)



More information about the Comp.unix.wizards mailing list