Bugtraq mailing list archives
Re: Selecting Good Passwords
From: mouse () Collatz McRCIM McGill EDU (der Mouse)
Date: Tue, 11 Jun 1996 12:00:22 -0400
We use a password generator that produces pronounceable gibberish.
Note to anyone considering such a thing: such passwords are no stronger than the source of the random numbers driving them. Most random number generators "look good" (as in, the resulting "gibberish" looks "random") but are worthless in the cryptographic sense. And even if you have a cryptographically strong generator, it's only as good as its seed. I recall seeing someone reporting on a case where automatic generation of passwords was experimented with and the simulated attacker just tried all 2^16 possible seeds for the RNG driving the password generation and cracked every one of the generated passwords in less than a cpu-minute. (I don't know where Mark Riggins' generator is getting its seed data from, tho from someone in "Secure Systems Engineering" at AT&T I'd hope it's a strong source...but most machines do not have strong sources of random numbers.) der Mouse mouse () collatz mcrcim mcgill edu
Current thread:
- Re: Selecting Good Passwords John Orthoefer (Jun 04)
- <Possible follow-ups>
- Re: Selecting Good Passwords der Mouse (Jun 11)