Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!uflorida!haven!mimsy!chris
From: chris@mimsy.UUCP (Chris Torek)
Newsgroups: comp.unix.wizards
Subject: Re: PASSWORD GUESSING
Message-ID: <19168@mimsy.UUCP>
Date: 19 Aug 89 20:36:26 GMT
References: <20648@adm.BRL.MIL>
Organization: U of Maryland, Dept. of Computer Science, Coll. Pk., MD 20742
Lines: 23

In article <20648@adm.BRL.MIL> Kemp@DOCKMASTER.NCSC.MIL writes:
>Any time a human tries to think up a "random" password, chances are it
>won't be as "random" as a machine could choose.  So why not have the
>machine generate it for you, and stop worrying.

I am a bit surprised that someone at NCSC would suggest this without
at least a caveat.  (I suppose I ought not to be surprised....)
While a machine-generated password *could* be `very random', the
average machine generating the average pronounceable password is
not very random at all.  People have been known to use a 15-bit
random number generator (maximum of 32768 distinct passwords) and
filter it through a `pronounceability test' that discards more
than half of the numbers generated!

I generally construct my own passwords by taking one or more words
that form a memorable sequence (such as `military intelligence' :-) ),
translating some or all into some other language(s), rearranging and/or
dropping some of the letters in the result, and changing some into
punctuation and/or control characters.  For instance: `to write the
great American novel' might become `sdvAn^L.'
-- 
In-Real-Life: Chris Torek, Univ of MD Comp Sci Dept (+1 301 454 7163)
Domain:	chris@mimsy.umd.edu	Path:	uunet!mimsy!chris