random password generator

[charles at utastro.UUCP]

Tom Truscott makes some cogent and useful remarks concerning
the password generator "randpasswd" and password protection
in general.

First, the fact that the 4.2BSD version of "randpasswd" uses
tv_usec as the seed is indeed a typo.  I have corrected our verion here to
use tv_sec instead and I urge everyone who picked up the source
to do so also.  I didn't post the fix because I didn't believe
there was enough interest, and didn't want to add more cruft to
the net.

The suggestion Tom makes about using 
	tv_usec ^ tv_sec ^ getpid()
is good and should be implemented in your version ASAP.

I am hesitant to recommend his suggestion about incrementing a counter
until the program receives an interrupt, and then using the counter
as a seed because it would require the user to "interact" with the
program and that was not my intent when I wrote it.  However, it
is a good suggestion if you don't share my apprehension.

While I share Tom's mistrust of password generators (mine included)
I believe that using  a generated password like  eCNrbU01 is preferable
and more secure than using your-name-spelled-backwards or your-wife's-name
or your-address or anything that is likewise easily guessed by "casual"
Bad-Guy password breakers.

Although using "randpasswd" has security risks of which users should
be made aware, it does help the "average user" come up with something
more "secure" than some of the obvious schemes listed above.

A deadbolt on a door will not stop a Bad Guy with dynamite, but it
will deter most "casual" illegal entry.  Using a password generated
by "randpasswd" is not fool-proof, but its better than many more
obvious schemes, especially if "beefed-up" according to Tom's
suggestions.

(Mostly, though, it was fun to write!)
-- 

                     *>> Charles Sandel <<*
     uucp:  {ut-sally, ut-ngp, noao, charm}!utastro!charles
arpa:  charles at utastro.UTEXAS.ARPA   charles at ut-sally.UTEXAS.ARPA
                   at&t:  (512) 471-4461 x439