Xref: utzoo comp.unix.questions:8007 comp.misc:2735 Path: utzoo!utgpu!water!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!bloom-beacon!gatech!uflorida!novavax!proxftl!aaron From: aaron@proxftl.UUCP (Aaron Zimmerman) Newsgroups: comp.unix.questions,comp.misc Subject: Re: Password choices Summary: passwords and lottery Keywords: passwords Message-ID: <434@proxftl.UUCP> Date: 7 Jul 88 14:18:32 GMT References: <4387@ptsfa.PacBell.COM> <11470@steinmetz.ge.com> Organization: Proximity Technology, Ft. Lauderdale Lines: 81 Aah, the eternal 'what do I use as a password' conflict. Well, whoever posted message #366 (or was it 266? I think 366) seemed to have the right idea - take a relatively random phrase, and use the first letters of each word (or the last letters, or the second letters, or whatever turns you on). Bad passwords, obviously, are: your name, your middle name, names of members of your families, names of anyone at all; common computer words such as "foobar", "unix", etc. also aren't so great. Again, what that other person said about something you can type quickly is good. At my school (when I'm not working here at Proximity, I'm a student of SUNY@Stony Brook), many people take pleasure in obtaining passwords of others for practical joke purposes.. I once guessed someone's zzyzx password despite his typing it very quickly - it's an unusual pattern (including three z's and an x, both of which are in a corner of the keyboard). It might be a safer guess to go with generally more centrally-located keys (not necessarily only using asdf and jkl;, but certainly staying away from, say, 31415). Oh, yes, other unsafe passwords are numerical constants. I once thought that it would be a good password to use the first sixteen digits of pi (on a system of unlimited password length), but it's not good enough, since fingers which stay on the top row are easily followed... Someone must have seen the 314 at the beginning, listened to count the number of keystrokes, and then looked up the actual digits. (now, if I had deliberately changed the last few digits to something else...) Seriously, though, I'd say that the first letters of each word in a randomly selected phrase has to be the best idea I've seen. A little while ago I came up with an algorithm for my personal computer (I used to own a Macintosh, though I'm about to sell it).... Living in a college dorm, and one where computers aren't too commonplace (there was an Apple II on my hall, and otherwise my roommate's 286 and my Mac were the only computers on the hall), people liked to mess with our systems - play games, use the word processors, etc. It started getting out of hand, so my roommate used the keyboard lock, and I came up with password protection. Now, people could guess my password, or watch me type it, perhaps... but it would be to no avail, for I am a fast, and consistent, typer. How is that relevant? The program I had running which asked for the password *timed the rhythm in which the keys were typed*. This would be infeasible on a unix system, but on a personal computer of reasonable processor speed it's not unreasonable. After a certain number of trials it notes the mean times between keystrokes, as well as the standard deviation. Upon entering the password later, I am permitted one standard deviation of difference, and then, upon acceptable entry, the new pattern ('cause it's not _exactly_ the same every time) is averaged into the old trials, to compensate for changing trends in typing speed. My roommate and I tested it out... we're both fast typers, and, though we each only get in about 1 out of every 1.4 trials, neither of us could log in as the other, even knowing what password to type. I consider this method fairly secure, though a bit off the topic. While I'm rambling, Lottery tickets: An interesting observation I've made is that, since any particular number is just as likely to win one week as any other number, it would make the most sense to pick something unusual, in an attempt to avoid having to share a prize in the event of a win. That is, many people pick dates as their lotto 48 numbers. Logical, then, would be to choose something like 33, 35, 37, 39, 41, 43... Or even 43, 44, 45, 46, 47, 48 (though someone else might be doing the same thing). One might say, "aw, come on, you know what the chances of them all coming out sequentially are?", but the numbers chosen do not affect odds of winning - saying they won't come out sequentially is a fair guess, but it is a fair guess that any particular combination of numbers will not happen, considering the miniscule odds of winning. I don't play the lottery 'cause, in NY State, at least, it's the same thing as giving them $1 and being given back 41 cents - and that's only if you play a lot and you don't get screwed by the odds. It just doesn't pay, but if other people wish to toss their money away in the hopes of the [not impossible] financial security they can win, it's their business. Besides, the lottery money does [often] go to a good cause. Anyway, I suppose this should have been in a different message, but it was on my mind 'cause people keep asking me, "oh, you're a computer programmer... so can you come up with any lottery numbers for me?" Aaargh. I'd better end this before I get flamed to pieces for posting in the wrong place. / Aaron Zimmerman \ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- / 3511 NE 22 Ave. \ : Working for Proximity Technology, : < Fort Lauderdale > : but not speaking on their behalf. : \ Florida - 33308 / : UUCP: uunet!proxftl!aaron : \ (3,055,663,511) / -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-