Path: utzoo!utgpu!watmath!clyde!att!rutgers!iuvax!bsu-cs!dhesi From: dhesi@bsu-cs.UUCP (Rahul Dhesi) Newsgroups: comp.unix.wizards Subject: Re: random passwords (was Re: Worm...) Message-ID: <4892@bsu-cs.UUCP> Date: 29 Nov 88 21:24:41 GMT References: <28399@tut.cis.ohio-state.edu> <278@aber-cs.UUCP> <10896@ulysses.homer.nj.att.com> Reply-To: dhesi@bsu-cs.UUCP (Rahul Dhesi) Distribution: eunet,world Organization: CS Dept, Ball St U, Muncie, Indiana Lines: 26 In article <10896@ulysses.homer.nj.att.com> smb@ulysses.homer.nj.att.com (Steven M. Bellovin) writes: [some calculations] >If your encryptions take even 10 microseconds -- still 1000 times the best >speed reported for an 8600 -- my password is safe for 2 years. I change >it more frequently than that... Not quite. Your password is safe for two years against a certain attack, for one year against an attack with a 50% chance of success...etc. Consider the claim: "Give me a week, and there's a 1% chance that I will break into your account." If the person keeps trying week after week, he will likely break into your account after two or three years of trying. No matter how often you change your password. No matter how often your change your password! I don't like the sound of that. (I do realize that your calculations were too conservative by a large factor.) -- Rahul Dhesi UUCP:!{iuvax,pur-ee}!bsu-cs!dhesi