jbn@glacier.STANFORD.EDU (John B. Nagle) (11/12/88)
In article <251@ispi.UUCP> jbayer@ispi.UUCP writes: >It is possible to adopt a single system, if that system is random. For >example, I have included below a random password generating program, written >for SYS V, but I have been told that it does compile on BSD (please, no flames) NO GOOD. Just find out, or guess, roughly when the password was changed, and you can start guessing passwords. Last-login information is helpful here. The time(II) call returns a value in units of seconds, so if you know when someone logged in, the number of values to try is modest. Even if you don't, just trying the value for each second over the busy hours of the day for the last few days or weeks will probably provide some useful guesses. Remember Von Neumann: "Anyone attempting to generate random numbers by deterministic means is, of course, living in a state of sin." The notion of generating random passwords is a good one, although in environments where employees do not face severe disciplinary action for security breaches, people tend to write them down and leave them near terminals. But the generation technique must be better. Better sources of a few random bits include using low-order bits from a microsecond clock, reading angular addresses from all available rotating media, and computing hash functions on sections of system memory. Using a clock value with one-second ticks is not acceptable. Always bear in mind that mapping a non-random value into a large space does not make the value more random. John Nagle