Path: utzoo!utgpu!watmath!clyde!att!rutgers!iuvax!bsu-cs!dhesi
From: dhesi@bsu-cs.UUCP (Rahul Dhesi)
Newsgroups: comp.unix.wizards
Subject: Re: random passwords (was Re: Worm...)
Message-ID: <4892@bsu-cs.UUCP>
Date: 29 Nov 88 21:24:41 GMT
References: <28399@tut.cis.ohio-state.edu> <278@aber-cs.UUCP> <10896@ulysses.homer.nj.att.com>
Reply-To: dhesi@bsu-cs.UUCP (Rahul Dhesi)
Distribution: eunet,world
Organization: CS Dept, Ball St U, Muncie, Indiana
Lines: 26

In article <10896@ulysses.homer.nj.att.com> smb@ulysses.homer.nj.att.com
(Steven M. Bellovin) writes:
[some calculations]
>If your encryptions take even 10 microseconds -- still 1000 times the best
>speed reported for an 8600 -- my password is safe for 2 years.  I change
>it more frequently than that...

Not quite.  Your password is safe for two years against a certain
attack, for one year against an attack with a 50% chance of
success...etc.

Consider the claim:  "Give me a week, and there's a 1% chance that I
will break into your account."

If the person keeps trying week after week, he will likely break into
your account after two or three years of trying.

No matter how often you change your password.

No matter how often your change your password!  I don't like the sound
of that.

(I do realize that your calculations were too conservative by a large
factor.)
-- 
Rahul Dhesi         UUCP:  !{iuvax,pur-ee}!bsu-cs!dhesi