Re: Selecting Good Passwords

[jco () bbn com (John Orthoefer)]

mdr () vodka sse att com wrote:
> [stuff about automatic password generation]

The routine to generate random passwords is important that you know
about your random number generator.   Since most random number
generators have cycles in them.  So with analysis of the seeding
mechnisim and the random number generator you could do attack such as.

        if the seed is generated based on PID
                o Look for users using the password program and record
                  the pid of the process.
                o generate all passwords based on PIDs the system will
                  give user level passwords.
        if the seed is based on time
                o check the time on the password file, if the time
                  changes generate back all passwords with in a few
                  minutes of the time the password file changed.
                o snapshot the password file every 24 hours, every
                  password which has changed, generate all passwords for
                  the last 24 hours.  (Use of the last command could
                  also tell what hours you are intressed in.)

Remeber the set of all unix passwords is preaty large, if you elemenate
easy password you are still making the working set of possible passwords
smaller (no need to test the dictionary because the password program
won't let you enter those.)

Salts are good, but if you have the password file then you know all the
salts your intressed in.

> [good stuff about reusable passwords]

Cost-anaylsis planning is required to answer security v benefit
questions.   I see VERY few people doing this when they implement
security and it bugs me.

"Think before you leap!" a good rule to follow.

johno