Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.1 6/24/83; site utastro.UUCP Path: utzoo!watmath!clyde!burl!ulysses!mhuxl!houxm!houxz!vax135!cornell!uw-beaver!tektronix!hplabs!hpda!fortune!amd!decwrl!decvax!wivax!cadmus!harvard!seismo!ut-sally!utastro!charles From: charles@utastro.UUCP Newsgroups: net.unix-wizards Subject: Re: random password generator Message-ID: <336@utastro.UUCP> Date: Tue, 7-Aug-84 12:38:57 EDT Article-I.D.: utastro.336 Posted: Tue Aug 7 12:38:57 1984 Date-Received: Sat, 11-Aug-84 01:37:05 EDT Organization: UTexas Astronomy Dept., Austin, Texas Lines: 44 Tom Truscott makes some cogent and useful remarks concerning the password generator "randpasswd" and password protection in general. First, the fact that the 4.2BSD version of "randpasswd" uses tv_usec as the seed is indeed a typo. I have corrected our verion here to use tv_sec instead and I urge everyone who picked up the source to do so also. I didn't post the fix because I didn't believe there was enough interest, and didn't want to add more cruft to the net. The suggestion Tom makes about using tv_usec ^ tv_sec ^ getpid() is good and should be implemented in your version ASAP. I am hesitant to recommend his suggestion about incrementing a counter until the program receives an interrupt, and then using the counter as a seed because it would require the user to "interact" with the program and that was not my intent when I wrote it. However, it is a good suggestion if you don't share my apprehension. While I share Tom's mistrust of password generators (mine included) I believe that using a generated password like eCNrbU01 is preferable and more secure than using your-name-spelled-backwards or your-wife's-name or your-address or anything that is likewise easily guessed by "casual" Bad-Guy password breakers. Although using "randpasswd" has security risks of which users should be made aware, it does help the "average user" come up with something more "secure" than some of the obvious schemes listed above. A deadbolt on a door will not stop a Bad Guy with dynamite, but it will deter most "casual" illegal entry. Using a password generated by "randpasswd" is not fool-proof, but its better than many more obvious schemes, especially if "beefed-up" according to Tom's suggestions. (Mostly, though, it was fun to write!) -- *>> Charles Sandel <<* uucp: {ut-sally, ut-ngp, noao, charm}!utastro!charles arpa: charles@utastro.UTEXAS.ARPA charles@ut-sally.UTEXAS.ARPA at&t: (512) 471-4461 x439