Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!cwjcc!ukma!uflorida!novavax!proxftl!twwells!bill From: bill@twwells.uucp (T. William Wells) Newsgroups: comp.unix.wizards Subject: Re: Worm/Passwords Message-ID: <238@twwells.uucp> Date: 5 Dec 88 03:02:57 GMT References: <22401@cornell.UUCP> <4627@rayssd.ray.com> <251@ispi.UUCP> <205@twwells.uucp> <8981@smoke.BRL.MIL> <220@twwells.uucp> <8998@smoke.BRL.MIL> <231@twwells.uucp> <3345@tekcrl.CRL.TEK.COM> Reply-To: bill@twwells.UUCP (T. William Wells) Organization: None, Ft. Lauderdale Lines: 35 In article <3345@tekcrl.CRL.TEK.COM> eirik@tekcrl.TEK.COM (Eirik Fuller) writes: : In article <231@twwells.uucp> bill@twwells.UUCP (T. William Wells) writes: : ) I was just addressing a valid objection : ) raised elsewhere about password generators. The travesty program has : ) the benefit of augmenting its random generator with additional data : ) that the crasher has to get to before he can crack the password. : ) : ) This eliminates the problem with a crasher simply running a generator : ) program through all its possible states. : : Yes, it means he has to guess the meta-password too :-) Yes, but consider the difficulty the crasher has if he has to guess say, the contents of some random read protected file plus some random dictionary? I keep a copy of my incoming and outgoing mail and interesting news messages in a protected directory; it amounts to several megabytes. Imagine a crasher trying to figure out the probabilities from that! Not only that, but it changes all the time; in order to use this information to work on my password, he'd have to snarf the data at the time I changed the password. And it'd be of no use to him the next time I changed my password. : The real problem with generated passwords is remembering them, not : guessing them. Well, the point of this discussion is how to create a reasonably crasher-proof password generator that also creates passwords that can be reasonably easily remembered. --- Bill {uunet|novavax}!proxftl!twwells!bill