Path: utzoo!utgpu!watmath!clyde!att!rutgers!mailrus!cornell!uw-beaver!tektronix!tekcrl!eirik
From: eirik@tekcrl.TEK.COM (Eirik Fuller)
Newsgroups: comp.unix.wizards
Subject: Re: Worm/Passwords
Summary: metapasswords
Keywords: guessing passwords
Message-ID: <3345@tekcrl.CRL.TEK.COM>
Date: 2 Dec 88 23:49:10 GMT
References: <22401@cornell.UUCP> <4627@rayssd.ray.com> <251@ispi.UUCP> <205@twwells.uucp> <8981@smoke.BRL.MIL> <220@twwells.uucp> <8998@smoke.BRL.MIL> <231@twwells.uucp>
Sender: ftp@tekcrl.CRL.TEK.COM
Organization: Tektronix, Inc., Beaverton,  OR.
Lines: 29

In article <231@twwells.uucp> bill@twwells.UUCP (T. William Wells) writes:
) ...
) 
) 			   I was just addressing a valid objection
) raised elsewhere about password generators.  The travesty program has
) the benefit of augmenting its random generator with additional data
) that the crasher has to get to before he can crack the password.
) 
) This eliminates the problem with a crasher simply running a generator
) program through all its possible states.

Yes, it means he has to guess the meta-password too :-)

If he knows the algorithm for the meta-password, do you choose a
meta-meta-password?  How many levels are enough?

If there is no algorithm for the meta-password, it probably comes from
the usual password mechanism, but once the mpw is guessed it gives
uniform (if slow) access to all the passwords.  Of course there might
not be a good test for correctness of guesses for the meta-password ...

Then again, I might just be babbling.  My own preference for passwords
is to change the algorithm every time I change my password.  The set of
mappings from meaningful scraps of information into eight character
gibberish is limited only by imagination, and in a creative, careful
community there will be as many of them as there are accounts.

The real problem with generated passwords is remembering them, not
guessing them.