[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: Selecting Good Passwords
From:       der Mouse <mouse () Collatz ! McRCIM ! McGill ! EDU>
Date:       1996-06-11 12:00:22
[Download RAW message or body]

> We use a password generator that produces pronounceable gibberish.

Note to anyone considering such a thing: such passwords are no stronger
than the source of the random numbers driving them.  Most random number
generators "look good" (as in, the resulting "gibberish" looks
"random") but are worthless in the cryptographic sense.  And even if
you have a cryptographically strong generator, it's only as good as its
seed.  I recall seeing someone reporting on a case where automatic
generation of passwords was experimented with and the simulated
attacker just tried all 2^16 possible seeds for the RNG driving the
password generation and cracked every one of the generated passwords in
less than a cpu-minute.  (I don't know where Mark Riggins' generator is
getting its seed data from, tho from someone in "Secure Systems
Engineering" at AT&T I'd hope it's a strong source...but most machines
do not have strong sources of random numbers.)

                                        der Mouse

                            mouse@collatz.mcrcim.mcgill.edu

[prev in list] [next in list] [prev in thread] [next in thread]