Worm/Passwords

[T. William Wells]

In article <3345 at tekcrl.CRL.TEK.COM> eirik at tekcrl.TEK.COM (Eirik Fuller) writes:
: In article <231 at twwells.uucp> bill at twwells.UUCP (T. William Wells) writes:
: )                        I was just addressing a valid objection
: ) raised elsewhere about password generators.  The travesty program has
: ) the benefit of augmenting its random generator with additional data
: ) that the crasher has to get to before he can crack the password.
: )
: ) This eliminates the problem with a crasher simply running a generator
: ) program through all its possible states.
:
: Yes, it means he has to guess the meta-password too :-)

Yes, but consider the difficulty the crasher has if he has to guess
say, the contents of some random read protected file plus some random
dictionary? I keep a copy of my incoming and outgoing mail and
interesting news messages in a protected directory; it amounts to
several megabytes. Imagine a crasher trying to figure out the
probabilities from that!

Not only that, but it changes all the time; in order to use this
information to work on my password, he'd have to snarf the data at
the time I changed the password.

And it'd be of no use to him the next time I changed my password.

: The real problem with generated passwords is remembering them, not
: guessing them.

Well, the point of this discussion is how to create a reasonably
crasher-proof password generator that also creates passwords that can
be reasonably easily remembered.

---
Bill
{uunet|novavax}!proxftl!twwells!bill