Worm/Passwords
Piercarlo Grandi
pcg at aber-cs.UUCP
Sat Nov 26 06:03:43 AEST 1988
In article <13169 at ncoast.UUCP> allbery at ncoast.UUCP (Brandon S. Allbery) writes:
As quoted from <4668 at mtgzz.att.com> by avr at mtgzz.att.com (a.v.reed):
+---------------
| psychology" types. Yes, there are good programs that generate passwords
| which incorporate a random element but can be remembered by humans
| anyway. To design such a program, you have to know not only what is
| difficult to crack, but also what is easy for people to remember.
+---------------
I once hacked together a program that used tables of letters which commonly
followed one another in English to create random but (usually) pronounceable
passwords. I don't know how anyone else's brain works (heck, I'm fuzzy on
how *mine* works ;-) but I find pronounceable passwords MUCH easier to
remember. The program is dust now, along with the computer it ran on (OSI
SuperBoard II, 8K BASIC!) but I should be able to recreate the program with
a little thinking.
A possible enhancement is to use phonemes instead of letters, thus
increasing the chances of a pronounceable password. It could be combined
with a phoneme-to-letter table which could randomly (or maybe not so
randomly, depends on how much time I want to put in it) choose between
alternative representations (f/ph, etc.) of a phoneme.
As has been discussed at length and conclusively, generating by algorithm
menmonic passwords is a very bad idea, because:
[1] It restricts unconscionably the key space (usually to a few thousand
or at best dozen thousand entries).
[2] If the algorithm used to generate the passwords get known, it can be
used to obtain a complete list of all possibly passwords. This gives a
penetrator confidence that he now knows 100% of the passwords on 100%
of the sites that use the algorithm.
[3] If the penetrator does not the algorithm, he can still usually deduce it
quite easily and accurately because of [1].
Manual generation of passwords also suffers from problem [1], but at least
the penetrator does not enjoy certainty [2].
--
Piercarlo "Peter" Grandi INET: pcg at cs.aber.ac.uk
Sw.Eng. Group, Dept. of Computer Science UUCP: ...!mcvax!ukc!aber-cs!pcg
UCW, Penglais, Aberystwyth, WALES SY23 3BZ (UK)
More information about the Comp.unix.wizards
mailing list