Password choices

Aaron Zimmerman aaron at proxftl.UUCP
Fri Jul 8 00:18:32 AEST 1988 

Aah, the eternal 'what do I use as a password' conflict. Well, whoever posted
message #366 (or was it 266? I think 366) seemed to have the right idea -
take a relatively random phrase, and use the first letters of each word (or
the last letters, or the second letters, or whatever turns you on).

Bad passwords, obviously, are: your name, your middle name, names of members
of your families, names of anyone at all; common computer words such as
"foobar", "unix", etc. also aren't so great.

Again, what that other person said about something you can type quickly is
good. At my school (when I'm not working here at Proximity, I'm a student of
SUNY at Stony Brook), many people take pleasure in obtaining passwords of others
for practical joke purposes.. I once guessed someone's zzyzx password despite
his typing it very quickly - it's an unusual pattern (including three z's and
an x, both of which are in a corner of the keyboard). It might be a safer
guess to go with generally more centrally-located keys (not necessarily only
using asdf and jkl;, but certainly staying away from, say, 31415).

Oh, yes, other unsafe passwords are numerical constants. I once thought
that it would be a good password to use the first sixteen digits of pi (on a
system of unlimited password length), but it's not good enough, since fingers
which stay on the top row are easily followed... Someone must have seen the
314 at the beginning, listened to count the number of keystrokes, and then
looked up the actual digits. (now, if I had deliberately changed the last
few digits to something else...) Seriously, though, I'd say that the first
letters of each word in a randomly selected phrase has to be the best idea
I've seen.

A little while ago I came up with an algorithm for my personal computer (I
used to own a Macintosh, though I'm about to sell it).... Living in a college
dorm, and one where computers aren't too commonplace (there was an Apple II
on my hall, and otherwise my roommate's 286 and my Mac were the only computers
on the hall), people liked to mess with our systems - play games, use the
word processors, etc. It started getting out of hand, so my roommate used the
keyboard lock, and I came up with password protection. Now, people could
guess my password, or watch me type it, perhaps... but it would be to no
avail, for I am a fast, and consistent, typer. How is that relevant? The
program I had running which asked for the password *timed the rhythm in which
the keys were typed*. This would be infeasible on a unix system, but on a
personal computer of reasonable processor speed it's not unreasonable.
After a certain number of trials it notes the mean times between keystrokes,
as well as the standard deviation. Upon entering the password later, I am
permitted one standard deviation of difference, and then, upon acceptable
entry, the new pattern ('cause it's not _exactly_ the same every time) is
averaged into the old trials, to compensate for changing trends in typing
speed. My roommate and I tested it out... we're both fast typers, and,
though we each only get in about 1 out of every 1.4 trials, neither of us
could log in as the other, even knowing what password to type. I consider
this method fairly secure, though a bit off the topic.

While I'm rambling, Lottery tickets:
	An interesting observation I've made is that, since any particular
number is just as likely to win one week as any other number, it would make
the most sense to pick something unusual, in an attempt to avoid having to
share a prize in the event of a win. That is, many people pick dates as their
lotto 48 numbers. Logical, then, would be to choose something like 33, 35,
37, 39, 41, 43... Or even 43, 44, 45, 46, 47, 48 (though someone else might
be doing the same thing). One might say, "aw, come on, you know what the
chances of them all coming out sequentially are?", but the numbers chosen do
not affect odds of winning - saying they won't come out sequentially is a
fair guess, but it is a fair guess that any particular combination of numbers
will not happen, considering the miniscule odds of winning. I don't play the
lottery 'cause, in NY State, at least, it's the same thing as giving them $1
and being given back 41 cents - and that's only if you play a lot and you
don't get screwed by the odds. It just doesn't pay, but if other people wish
to toss their money away in the hopes of the [not impossible] financial
security they can win, it's their business. Besides, the lottery money does
[often] go to a good cause. Anyway, I suppose this should have been in a
different message, but it was on my mind 'cause people keep asking me, "oh,
you're a computer programmer... so can you come up with any lottery numbers
for me?" Aaargh. I'd better end this before I get flamed to pieces for posting
in the wrong place.



      /  Aaron Zimmerman  \       -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
     /   3511 NE 22 Ave.   \      :  Working for Proximity Technology,  :
    <    Fort Lauderdale    >     :  but not speaking on their behalf.  :
     \   Florida - 33308   /      :      UUCP: uunet!proxftl!aaron      :
      \  (3,055,663,511)  /       -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

More information about the Comp.unix.questions mailing list