PASSWORD GUESSING

[Chris Torek]

In article <20648 at adm.BRL.MIL> Kemp at DOCKMASTER.NCSC.MIL writes:
>Any time a human tries to think up a "random" password, chances are it
>won't be as "random" as a machine could choose.  So why not have the
>machine generate it for you, and stop worrying.

I am a bit surprised that someone at NCSC would suggest this without
at least a caveat.  (I suppose I ought not to be surprised....)
While a machine-generated password *could* be `very random', the
average machine generating the average pronounceable password is
not very random at all.  People have been known to use a 15-bit
random number generator (maximum of 32768 distinct passwords) and
filter it through a `pronounceability test' that discards more
than half of the numbers generated!

I generally construct my own passwords by taking one or more words
that form a memorable sequence (such as `military intelligence' :-) ),
translating some or all into some other language(s), rearranging and/or
dropping some of the letters in the result, and changing some into
punctuation and/or control characters.  For instance: `to write the
great American novel' might become `sdvAn^L.'
-- 
In-Real-Life: Chris Torek, Univ of MD Comp Sci Dept (+1 301 454 7163)
Domain:	chris at mimsy.umd.edu	Path:	uunet!mimsy!chris