Path: utzoo!utgpu!watmath!clyde!att!rutgers!tut.cis.ohio-state.edu!bloom-beacon!bu-cs!encore!bzs@encore.com From: bzs@encore.com (Barry Shein) Newsgroups: comp.unix.wizards Subject: Re: Improving password security Keywords: password, security, crypt server via RPC Message-ID: <4303@encore.UUCP> Date: 29 Nov 88 22:14:56 GMT References: <21670@pbhya.PacBell.COM> <27987@tut.cis.ohio-state.edu> <716@quintus.UUCP> <2220@cuuxb.ATT.COM> <741@quintus.UUCP> <522@necisa.necisa.oz> Sender: news@encore.UUCP Reply-To: bzs@encore.com (Barry Shein) Organization: Encore Computer Corp Lines: 31 In-reply-to: boyd@necisa.necisa.oz (Boyd Roberts) >On another issue, aren't the ``automated password'' camp completely off >the beam? With that style of password choice there's no point in >cracking the _password_. Attack would be focused on the password >_generator_ function. Unless, of course, the generator algorithm is >at least equally difficult to crack. > >Boyd Roberts NEC Information Systems Australia I tend to agree with you, now we'll spend the next year or two finding out how non-random the supposedly random password generators are (or perhaps 15 minutes once some evil person exploits the fact...) I believe a change to the passwd program demanding 8 character passwords (perhaps 7 chars, that's an easy thing to calculate) with some reasonable rules to avoid dictionary words etc (like must have at least one punctuation and/or mixed case and/or digits) would be sufficient and people can get back to more important things. In fact easy to remember passwords like: Hey%Jude RunUnix! Lemme+In are quite hard to crack unless you have some reason to guess that sort of thing. People are pretty good generators if someone explains to them what the game is. -Barry Shein, ||Encore||