Path: utzoo!utgpu!water!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!rutgers!cmcl2!nrl-cmf!ames!pasteur!ucbvax!decwrl!labrea!glacier!jbn
From: jbn@glacier.STANFORD.EDU (John B. Nagle)
Newsgroups: comp.misc
Subject: Re: Password choices
Keywords: passwords
Message-ID: <17533@glacier.STANFORD.EDU>
Date: 9 Jul 88 05:49:32 GMT
References: <3375@phri.UUCP> <30453@pyramid.pyramid.com>
Reply-To: jbn@glacier.UUCP (John B. Nagle)
Organization: Stanford University
Lines: 18

In article <30453@pyramid.pyramid.com> csg@pyramid.pyramid.com (Carl S. Gutekunst) writes:
>/*
> * randpass.c -- generate really random passwords. For BSD Unixes only.
> * Includes all ASCII chars '0' through 'z', except '@' and '\\'
> */

      No good.  If you know that a password was generated with this algorithm,
coming up with good guesses is straightforward.  If, as is typical under
UNIX, one can test guesses without risk of discovery, this is a reasonably easy
technique to crack.  If you happen to know when the password was changed,
the attack is trivial, of course.  


					John Nagle

"Anyone who attempts to generate random numbers by deterministic means is,
of course, living in a state of sin."
				Von Neumann