Path: utzoo!utgpu!watmath!clyde!att!rutgers!tut.cis.ohio-state.edu!bloom-beacon!bu-cs!encore!bzs@encore.com
From: bzs@encore.com (Barry Shein)
Newsgroups: comp.unix.wizards
Subject: Re: Improving password security
Keywords: password, security, crypt server via RPC
Message-ID: <4303@encore.UUCP>
Date: 29 Nov 88 22:14:56 GMT
References: <21670@pbhya.PacBell.COM> <27987@tut.cis.ohio-state.edu> <716@quintus.UUCP> <2220@cuuxb.ATT.COM> <741@quintus.UUCP> <522@necisa.necisa.oz>
Sender: news@encore.UUCP
Reply-To: bzs@encore.com (Barry Shein)
Organization: Encore Computer Corp
Lines: 31
In-reply-to: boyd@necisa.necisa.oz (Boyd Roberts)

>On another issue, aren't the ``automated password'' camp completely off
>the beam?  With that style of password choice there's no point in
>cracking the _password_.  Attack would be focused on the password
>_generator_ function.  Unless, of course, the generator algorithm is
>at least equally difficult to crack.
>
>Boyd Roberts			NEC Information Systems Australia

I tend to agree with you, now we'll spend the next year or two finding
out how non-random the supposedly random password generators are (or
perhaps 15 minutes once some evil person exploits the fact...)

I believe a change to the passwd program demanding 8 character
passwords (perhaps 7 chars, that's an easy thing to calculate) with
some reasonable rules to avoid dictionary words etc (like must have at
least one punctuation and/or mixed case and/or digits) would be
sufficient and people can get back to more important things. In
fact easy to remember passwords like:

	Hey%Jude
	RunUnix!
	Lemme+In

are quite hard to crack unless you have some reason to guess that sort
of thing. People are pretty good generators if someone explains to
them what the game is.

	-Barry Shein, ||Encore||