Improving password security

Barry Shein bzs at encore.com
Wed Nov 30 08:14:56 AEST 1988


>On another issue, aren't the ``automated password'' camp completely off
>the beam?  With that style of password choice there's no point in
>cracking the _password_.  Attack would be focused on the password
>_generator_ function.  Unless, of course, the generator algorithm is
>at least equally difficult to crack.
>
>Boyd Roberts			NEC Information Systems Australia

I tend to agree with you, now we'll spend the next year or two finding
out how non-random the supposedly random password generators are (or
perhaps 15 minutes once some evil person exploits the fact...)

I believe a change to the passwd program demanding 8 character
passwords (perhaps 7 chars, that's an easy thing to calculate) with
some reasonable rules to avoid dictionary words etc (like must have at
least one punctuation and/or mixed case and/or digits) would be
sufficient and people can get back to more important things. In
fact easy to remember passwords like:

	Hey%Jude
	RunUnix!
	Lemme+In

are quite hard to crack unless you have some reason to guess that sort
of thing. People are pretty good generators if someone explains to
them what the game is.

	-Barry Shein, ||Encore||

	
	



More information about the Comp.unix.wizards mailing list