Worm/Passwords

Brandon S. Allbery allbery at ncoast.UUCP
Sun Dec 4 03:51:14 AEST 1988 

As quoted from <8998 at smoke.BRL.MIL> by gwyn at smoke.BRL.MIL (Doug Gwyn ):
+---------------
| In article <220 at twwells.uucp> bill at twwells.UUCP (T. William Wells) writes:
| >Using a better database might create more or better passwords.  And
| >each user could have his own database; this makes knowledge of the
| >travesty algorithm useless for guessing someone's password.
| 
| I didn't mean to imply that this approach wasn't viable, but I
| couldn't resist the experiment and thought (since the posted travesty
| program wasn't runnable on anything except MS-DOS) that an illustration
| of what "travesty" produces might be informative to many readers.
| 
| Indeed, use of samples of a natural language itself as a database
| for producing statistically similar "random" text is a good idea.
| I seem to recall one of the Computer Recreations columns in
| Scientific American a couple of years ago exploring this method.
| 
| Certainly a larger, more varied database would have produce a better
| selection of lasswords.
+---------------

Since I seem to have started this thread, let me point out that I never
expected that "pwgen" was perfect.  Indeed, the version I posted was only a
first approximation.  (I should mention that the phoneme and spelling
databases were culled from a number of comp.unix.wizards articles. ;-)

I'm not going to leave "pwgen" as is; I'm going to experiment with more
phonemes, combinations of same, and random number generation.  It was pointed
out to me that my srand() call was fairly easy to predict; true, but it was
just an example; add in such things as a checksum of the contents of the
process table and etc. and it becomes impossible to duplicate the RNG seed
without a snapshot of the entire system at the time the program is run.
Hardware random numbers (i.e. "/dev/static", which is just a A/D converter
attached to a radio receiver tuned to a frequency filled with static ;-) are
another possibility.  Not that I can test that last on ncoast....  (Note the
smiley; I can think of a fairly easy way for a hardware hacker to break it,
and a good reason why it wouldn't work anyway.  It's just an idea for people
to think about, to get the creative juices flowing.  For that matter, so is
pwgen.)

At least one person has expressed a desire to add pwgen to the UN*X his
company is shipping.  One word to all who are contemplating this:  DON'T.
Pwgen is a first attempt at code to implement an idea; I don't claim it to
be the best way to do it, and it has a number of problems as is.  (The
biggest may be the databases.  Look at them and tell me how easy it is to
change them, either to add phonemes or spellings or to "nationalize" it.
When I put the databases together I decided that the next upgrade would
include a database generator.)  Nor do I claim that the idea itself is in
either a final or a useable form.  Pwgen DOES work to some extent, but I'd
hate to see a large number of sites try to base their security on it as is.

Just in case anyone's interested, here's a run of "pwgen 8 96".  This was
run on ncoast, with its less-than-useable rand(); I will recompile with
another RNG and see how it affects the output.

(Press "n" if you aren't interested...)

shetheg   ehooshi   ooreyov   uudotush  fequasi   ifoomih   etequam   aroochoo
ronuthi   phelide   ngaehoo   ngoomoh   ushudath  rongovi   ipalema   uchukoe
tixoora   chibith   hooburi   komoofo   koosiqu   tingofi   soyichoo  goothur
soovire   epaethoo  thidoqu   meidong   oojaqui   uchokix   xithabo   jogirath
tofiqua   nuphadi   mooloot   jithulu   neoouse   rofunequ  ratheth   nerekos
uboroaqu  quiloop   giligath  nofedij   yoteeub   ooxekam   mothoob   achaniu
senohev   aeboove   mebokeu   quigooy   gujinoo   chetone   ixoosil   ngadeyi
nihochi   modaepu   peraboth  ngitooth  hoothoch  oudutix   ichafea   boyothe
joonguf   patuxong  egooxoo   thotahu   oosoipe   choongi   ogootha   hiheeip
hogoojee  ipaedaa   thipair   hipusab   ehoothae  thilise   oopuloo   isimequ
agiuveb   singaab   oojasho   iyefooj   ootuoov   thaniay   revisai   akichoo
vojeting  ngiremae  rikakee   nathehe   mithisi   beaepin   xeruvep   ihayouu

I see a few problems in here, like a tendency to overuse "oo"; since "pwgen"
has a few bugs, it'll be interesting to see what happens when I fix them.

++Brandon
-- 
Brandon S. Allbery, comp.sources.misc moderator and one admin of ncoast PA UN*X
uunet!hal.cwru.edu!ncoast!allbery  <PREFERRED!>	    ncoast!allbery at hal.cwru.edu
allberyb at skybridge.sdi.cwru.edu	      <ALSO>		   allbery at uunet.uu.net
comp.sources.misc is moving off ncoast -- please do NOT send submissions direct
      Send comp.sources.misc submissions to comp-sources-misc@<backbone>.

More information about the Comp.unix.wizards mailing list