a bad password generator.
John B. Nagle
jbn at glacier.STANFORD.EDU
Sat Nov 12 05:01:52 AEST 1988
In article <251 at ispi.UUCP> jbayer at ispi.UUCP writes:
>It is possible to adopt a single system, if that system is random. For
>example, I have included below a random password generating program, written
>for SYS V, but I have been told that it does compile on BSD (please, no flames)
NO GOOD. Just find out, or guess, roughly when the password was changed,
and you can start guessing passwords. Last-login information is helpful here.
The time(II) call returns a value in units of seconds, so if you know when
someone logged in, the number of values to try is modest. Even if you don't,
just trying the value for each second over the busy hours of the day for the
last few days or weeks will probably provide some useful guesses.
Remember Von Neumann: "Anyone attempting to generate random numbers by
deterministic means is, of course, living in a state of sin."
The notion of generating random passwords is a good one, although
in environments where employees do not face severe disciplinary action for
security breaches, people tend to write them down and leave them near terminals.
But the generation technique must be better. Better sources of a few
random bits include using low-order bits from a microsecond clock, reading
angular addresses from all available rotating media, and computing hash
functions on sections of system memory. Using a clock value with one-second
ticks is not acceptable.
Always bear in mind that mapping a non-random value into a large space
does not make the value more random.
John Nagle
More information about the Comp.unix.wizards
mailing list