Path: utzoo!utgpu!watmath!clyde!att!rutgers!mailrus!cornell!uw-beaver!tektronix!tekcrl!eirik From: eirik@tekcrl.TEK.COM (Eirik Fuller) Newsgroups: comp.unix.wizards Subject: Re: Worm/Passwords Summary: metapasswords Keywords: guessing passwords Message-ID: <3345@tekcrl.CRL.TEK.COM> Date: 2 Dec 88 23:49:10 GMT References: <22401@cornell.UUCP> <4627@rayssd.ray.com> <251@ispi.UUCP> <205@twwells.uucp> <8981@smoke.BRL.MIL> <220@twwells.uucp> <8998@smoke.BRL.MIL> <231@twwells.uucp> Sender: ftp@tekcrl.CRL.TEK.COM Organization: Tektronix, Inc., Beaverton, OR. Lines: 29 In article <231@twwells.uucp> bill@twwells.UUCP (T. William Wells) writes: ) ... ) ) I was just addressing a valid objection ) raised elsewhere about password generators. The travesty program has ) the benefit of augmenting its random generator with additional data ) that the crasher has to get to before he can crack the password. ) ) This eliminates the problem with a crasher simply running a generator ) program through all its possible states. Yes, it means he has to guess the meta-password too :-) If he knows the algorithm for the meta-password, do you choose a meta-meta-password? How many levels are enough? If there is no algorithm for the meta-password, it probably comes from the usual password mechanism, but once the mpw is guessed it gives uniform (if slow) access to all the passwords. Of course there might not be a good test for correctness of guesses for the meta-password ... Then again, I might just be babbling. My own preference for passwords is to change the algorithm every time I change my password. The set of mappings from meaningful scraps of information into eight character gibberish is limited only by imagination, and in a creative, careful community there will be as many of them as there are accounts. The real problem with generated passwords is remembering them, not guessing them.