Path: utzoo!utgpu!water!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!rutgers!cmcl2!nrl-cmf!ames!pasteur!ucbvax!decwrl!labrea!glacier!jbn From: jbn@glacier.STANFORD.EDU (John B. Nagle) Newsgroups: comp.misc Subject: Re: Password choices Keywords: passwords Message-ID: <17533@glacier.STANFORD.EDU> Date: 9 Jul 88 05:49:32 GMT References: <3375@phri.UUCP> <30453@pyramid.pyramid.com> Reply-To: jbn@glacier.UUCP (John B. Nagle) Organization: Stanford University Lines: 18 In article <30453@pyramid.pyramid.com> csg@pyramid.pyramid.com (Carl S. Gutekunst) writes: >/* > * randpass.c -- generate really random passwords. For BSD Unixes only. > * Includes all ASCII chars '0' through 'z', except '@' and '\\' > */ No good. If you know that a password was generated with this algorithm, coming up with good guesses is straightforward. If, as is typical under UNIX, one can test guesses without risk of discovery, this is a reasonably easy technique to crack. If you happen to know when the password was changed, the attack is trivial, of course. John Nagle "Anyone who attempts to generate random numbers by deterministic means is, of course, living in a state of sin." Von Neumann