Password Choices

Thomas Truscott trt at rti.UUCP
Wed Jul 20 14:55:21 AEST 1988 

All the password generators that I have ever seen
can be broken by straightforward attacks.
Password generators are dangerous in the same way
that weak cipher systems are dangerous --
they create a false sense of security.

A truly *random* password generator would be fine,
the problem is that randomness is hard to come by.
Consider the typical password generating program:

	srand(time((time_t *)0)));	/* seed "random" number generator */
	.... generate "random" password ...

srand (or srandom) accepts only a 32 bit seed,
which means this program generates *at most* 2^32 different passwords,
whereas DES accepts a 56 bit key.
So right off we have lost considerable "randomness".
(This type of problem is mentioned in a cryptic paragraph
in "Password Security -- A Case History" by Robert Morris and Ken Thompson.)

It is also very misleading to use srand/rand
since the time-of-day is our only source of randomness.
For example, the hexadecimal representation of the time-of-day
is 8 characters long and can be used directly as the generated password.
Please, never ever use srand/rand in a password generating program!

Much worse, the time of day is *highly* predictable.
If a password's creation time can be guessed within a few hours
it can be found out in just a minute or so of computation.
(This is particularly easy if one can periodically snapshot
the list of encrypted passwords.)

It is possible to do even worse -- one password generator
posted to Usenet produced only about 1000 different passwords.

One can do much better by using other semi-random
values such as the current tv_usec (gettimeofday), millitm (ftime),
process id (getpid), and so on.  But that is not enough.
Try this: ask the user to press <interrupt>
and then perform a busy loop such as:
	long count = 0;
	while (!interrupted && ++count < HUGE)
		;
	/* (If count >= HUGE the user wasted too much cpu time.  Retry.) */
	/* (If the high-order bits are zero we did not loop enough.  Retry.) */
	/* low-order 16 bits of count are fairly random now */
Do this three times to obtain 48 semi-random bits.
XOR into that the various semi-random values mentioned above.
Now generate an 8 character long password by using 6 bits per character
("base-64" characters ala uuencode).
Post THAT to the net.  Please.  I promise I will use it.
Help stamp out bogus password generators!

	Tom Truscott

More information about the Comp.unix.questions mailing list