jmc@ptsfa.PacBell.COM (Jerry Carlin) (07/06/88)
Somewhere I remember hearing or reading that someone did a study about typical (bad) password choices and/or what consituted good password choices. Can anyone give me references? Thanks in advance. -- Jerry Carlin (415) 823-2441 {bellcore,sun,ames,pyramid}!pacbell!jmc To dream the impossible dream. To fight the unbeatable foe.
davidsen@steinmetz.ge.com (William E. Davidsen Jr) (07/06/88)
In article <4387@ptsfa.PacBell.COM> jmc@ptsfa.PacBell.COM (Jerry Carlin) writes: | Somewhere I remember hearing or reading that someone did a study | about typical (bad) password choices and/or what consituted good | password choices. Can anyone give me references? Thanks in advance. My suggestion is to chose a random sentence from a book and use the first letters. Alternatively, pick a sentence of your own. Example: passwd sentence iutpotm I use this password on this machine athwamw Atilla the Hun was a mighty warrior This makes it VERY hard for someone to look over your shoulder and steal a password, guess a password, etc. In addition, most people who have tried it find it is slightly easier to remember than a single word. My favorite password (from a system with 12 char passwords) sssiacosbikb some say security is a crock of shit but I know better If you type in an environment where someone might watch as you type, be sure you choose a password which can be typed reasonably quickly. -- bill davidsen (wedu@ge-crd.arpa) {uunet | philabs | seismo}!steinmetz!crdos1!davidsen "Stupidity, like virtue, is its own reward" -me
jbn@glacier.STANFORD.EDU (John B. Nagle) (07/07/88)
About five years ago, I posted to the net an "obvious password detector", a few pages of C intended for use in places such as "passwd" to detect an attempt to use a password that could be guessed by the usual techniques. (The algorithm worked by using the fact that the space of letter triples in English is only 20% populated.) If anyone still has this code, I would appreciate a copy; I no longer have one. John Nagle
klee@daisy.UUCP (Ken Lee) (07/07/88)
I don't know of any formal studies, but I wouldn't be suprised if half of all (user picked) passwords are permutations (approximately in order) of: spouse's (or significant other's) name user's name children's names pet's names other relative's names present or former addresses (street or city names) I also wouldn't be suprised if almost all of the rest were found in the smallest on-line "spell" dictionary. A good password is, obviously, not in any of the above look-up tables. Better still, it is changed regularly and composed of a variety of characters (lower case, upper case, numbers, other printable characters, and, if allowed, non-printable characters). Enjoy. Ken -- uucp: {atari, nsc, pyramid, imagen, uunet}!daisy!klee arpanet: atari!daisy!klee@ames.arc.nasa.gov STOP CONTRA AID - BOYCOTT COCAINE
aaron@proxftl.UUCP (Aaron Zimmerman) (07/07/88)
Aah, the eternal 'what do I use as a password' conflict. Well, whoever posted message #366 (or was it 266? I think 366) seemed to have the right idea - take a relatively random phrase, and use the first letters of each word (or the last letters, or the second letters, or whatever turns you on). Bad passwords, obviously, are: your name, your middle name, names of members of your families, names of anyone at all; common computer words such as "foobar", "unix", etc. also aren't so great. Again, what that other person said about something you can type quickly is good. At my school (when I'm not working here at Proximity, I'm a student of SUNY@Stony Brook), many people take pleasure in obtaining passwords of others for practical joke purposes.. I once guessed someone's zzyzx password despite his typing it very quickly - it's an unusual pattern (including three z's and an x, both of which are in a corner of the keyboard). It might be a safer guess to go with generally more centrally-located keys (not necessarily only using asdf and jkl;, but certainly staying away from, say, 31415). Oh, yes, other unsafe passwords are numerical constants. I once thought that it would be a good password to use the first sixteen digits of pi (on a system of unlimited password length), but it's not good enough, since fingers which stay on the top row are easily followed... Someone must have seen the 314 at the beginning, listened to count the number of keystrokes, and then looked up the actual digits. (now, if I had deliberately changed the last few digits to something else...) Seriously, though, I'd say that the first letters of each word in a randomly selected phrase has to be the best idea I've seen. A little while ago I came up with an algorithm for my personal computer (I used to own a Macintosh, though I'm about to sell it).... Living in a college dorm, and one where computers aren't too commonplace (there was an Apple II on my hall, and otherwise my roommate's 286 and my Mac were the only computers on the hall), people liked to mess with our systems - play games, use the word processors, etc. It started getting out of hand, so my roommate used the keyboard lock, and I came up with password protection. Now, people could guess my password, or watch me type it, perhaps... but it would be to no avail, for I am a fast, and consistent, typer. How is that relevant? The program I had running which asked for the password *timed the rhythm in which the keys were typed*. This would be infeasible on a unix system, but on a personal computer of reasonable processor speed it's not unreasonable. After a certain number of trials it notes the mean times between keystrokes, as well as the standard deviation. Upon entering the password later, I am permitted one standard deviation of difference, and then, upon acceptable entry, the new pattern ('cause it's not _exactly_ the same every time) is averaged into the old trials, to compensate for changing trends in typing speed. My roommate and I tested it out... we're both fast typers, and, though we each only get in about 1 out of every 1.4 trials, neither of us could log in as the other, even knowing what password to type. I consider this method fairly secure, though a bit off the topic. While I'm rambling, Lottery tickets: An interesting observation I've made is that, since any particular number is just as likely to win one week as any other number, it would make the most sense to pick something unusual, in an attempt to avoid having to share a prize in the event of a win. That is, many people pick dates as their lotto 48 numbers. Logical, then, would be to choose something like 33, 35, 37, 39, 41, 43... Or even 43, 44, 45, 46, 47, 48 (though someone else might be doing the same thing). One might say, "aw, come on, you know what the chances of them all coming out sequentially are?", but the numbers chosen do not affect odds of winning - saying they won't come out sequentially is a fair guess, but it is a fair guess that any particular combination of numbers will not happen, considering the miniscule odds of winning. I don't play the lottery 'cause, in NY State, at least, it's the same thing as giving them $1 and being given back 41 cents - and that's only if you play a lot and you don't get screwed by the odds. It just doesn't pay, but if other people wish to toss their money away in the hopes of the [not impossible] financial security they can win, it's their business. Besides, the lottery money does [often] go to a good cause. Anyway, I suppose this should have been in a different message, but it was on my mind 'cause people keep asking me, "oh, you're a computer programmer... so can you come up with any lottery numbers for me?" Aaargh. I'd better end this before I get flamed to pieces for posting in the wrong place. / Aaron Zimmerman \ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- / 3511 NE 22 Ave. \ : Working for Proximity Technology, : < Fort Lauderdale > : but not speaking on their behalf. : \ Florida - 33308 / : UUCP: uunet!proxftl!aaron : \ (3,055,663,511) / -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
mahn@prandtl.nas.nasa.gov.nas.nasa.gov (Richard Mahn) (07/07/88)
There is a good article in LAN magazine on selection of passwords. I believe it is the July issue.
gallen@apollo.uucp (Gary Allen) (07/08/88)
In article <4387@ptsfa.PacBell.COM> jmc@ptsfa.PacBell.COM (Jerry Carlin) writes: >Somewhere I remember hearing or reading that someone did a study >about typical (bad) password choices and/or what consituted good >password choices. Can anyone give me references? Thanks in advance. > >-- >Jerry Carlin (415) 823-2441 {bellcore,sun,ames,pyramid}!pacbell!jmc >To dream the impossible dream. To fight the unbeatable foe. I remember the title of a book that I studied several years ago called "Cryptography and Data Security". I don't remember the author or publisher, but it was fascinating; lots of history of ciphers, spies, etc. Also, there was an article in (I think) a Bell journal that discussed the UNIX password mechanism. I think it was written by Ken Thompson. I can give you the jist. Bad passwords are short and/or chosen from a small alphabet. Consider a 3-character password chosen from the alphabet of lower case letters. An exhaustive attack on this password will succeed in (worst case) 26^3 (17576) attempts. At a rate of 1 attempt/second (which is *very* slow), this password will be broken in less than 5 hours. A 6 character password chosen from a 96 character alphabet (upper and lower case letters, numbers and special characters) require (worst case) 96^6 (nearly a trillion) attempts. At 1 attempt/second, this works out to about 25,000 years. Another type of attack makes use of the fact that passwords are not chosen at random. Rather, people tend to use their children's names, birthdates, etc. A clever cryptologist [sp?] will have a batch of the 200-300 most common names, 200-300 most common words (assuming the local language), all combinations of 3 digits, a few local cities and towns, several dozen dirty words, etc. Assuming 3000 of these goodies, 1 attempt/second requires less than an hour. If the encrypting scheme is known (which UNIX's is), these words can be encrypted in advance and simply compared to the encrypted passwords stored in the system in no time at all. Fortunately, UNIX is protected against this by a "salt" derived from the clock. At least the test cases must be encrypted from scratch for each password under attack. So, the general rule is to use a relatively long password (UNIX hints that it wants 6 characters or more) including characters from each section of the character set, avoiding common names and words, no birthdays or other all-numeric codes. Gary Allen Apollo Computer Chelmsford, MA {decvax,umix,yale}!apollo!gallen P.S. With the exception of a couple of ciphers developed in the last few years, every known cipher in history has been broken. That doesn't imply that the last few haven't, just that we don't know that they've been broken.
exodus@mfgfoc.UUCP (Greg Onufer) (07/08/88)
And aside from the password choices listed, also commonly used are keyboard patterns: qwerty, asdfg, etc. Please: DO NOT USE WORDS FOUND IN THE UNIX SYSTEM DICTIONARY. FOR THAT MATTER, PLEASE DO NOT USE REAL WORDS AS FOUND IN ANY DICTIONARY. I HAVE FIRST-HAND KNOWLEDGE OF A USER AT OUR SITE WHO MAILED OUR PASSWORD FILE TO A FRIEND, AND, WITHIN A WEEK, RECEIVED A LIST OF ALL THE PASSWORDS THAT WERE REASONABLE!!!! Commosense helps: use at least one digit, mix upper and lower case if your system allows you to. A digit in the middle of the word will effectively foul up any brute force dictionary-type search. Disclaimer: I disclaim. --Greg -- Greg Onufer GEnie: G.ONUFER University of the Pacific UUCP: -= Focus Semiconductor =- exodus@mfgfoc ...!sun!daver!mfgfoc!exodus (and postmaster/exodus@uop.edu) AT&T: 415-965-0604 USMAIL: #901 1929 Crisanto Ave, Mtn View, CA 94040
hollombe@ttidca.TTI.COM (The Polymath) (07/08/88)
In article <4387@ptsfa.PacBell.COM> jmc@ptsfa.PacBell.COM (Jerry Carlin) writes: }Somewhere I remember hearing or reading that someone did a study }about typical (bad) password choices and/or what consituted good }password choices. ... Suggested reading: UNIX System Manager's Manual On the Security of UNIX Password Security - A Case History I did some experimenting and reading on the subject a few months ago. Here's some suggestions: Bad choices: anything under 6 characters anything in the spell dictionary (or any on-line dictionary) anything in your /etc/passwd entry (especially name and login id) any publicly available personal fact or attribute Good choices: not a bad choice (-: include at least one punctuation (non-alphameric) character use both upper and lower case -- The Polymath (aka: Jerry Hollombe, hollombe@ttidca.tti.com) Illegitimati Nil Citicorp(+)TTI Carborundum 3100 Ocean Park Blvd. (213) 452-9191, x2483 Santa Monica, CA 90405 {csun|philabs|psivax|trwrb}!ttidca!hollombe
lvc@tut.cis.ohio-state.edu (Lawrence V. Cipriani) (07/08/88)
Choosing good passwords is also aggravated by password aging. The problem is that the user is suddenly told to choose a new password immediately. A local program (which I can't share but someone out there could write easily) gives you a reminder when you login if your password is going to expire within a week. This gives you plenty of time to cook up a good password. -- Larry Cipriani, AT&T Network Systems and Ohio State University Domain: lvc@tut.cis.ohio-state.edu Path: ...!cbosgd!osu-cis!tut.cis.ohio-state.edu!lvc (strange but true)
roy@phri.UUCP (Roy Smith) (07/08/88)
Nobody has yet mentioned the quasi-classic paper "Password Security: A Case History" by Robert Morris and Ken Thompson. It's included in the 4.2/4.3 Unix documentation, and probably in most other Unix doc sets. While not an authoritative research paper on the subject, it does have some good suggestions. They give a short list of commonly used types of passwords, including anything in the dictionary, possibly spelled in reverse, and valid license plate numbers in your state. Obviously, any of the above are bad choices. Personally, I usually use some 6-8 letter word I can remember but with a deliberate mispelling, often combined with an unusual capitalization and/or a digit or two thrown in. Something like "graPHiks88". Easy enough to remember, but hard to guess. If what you're worried about is somebody watching over your shoulder while you type, the capitals and the digits don't help much; they just stand out like a sore thumb. When assigning passwords for incomming uucp accounts, I just type random patterns on the keyboard. -- Roy Smith, System Administrator Public Health Research Institute {allegra,philabs,cmcl2,rutgers}!phri!roy -or- phri!roy@uunet.uu.net "The connector is the network"
brianm@sco.COM (Brian Moffet) (07/08/88)
In article <377@mfgfoc.UUCP> exodus@mfgfoc.UUCP (Greg Onufer) writes: > >Please: DO NOT USE WORDS FOUND IN THE UNIX SYSTEM DICTIONARY. FOR THAT Actually, you can use words in the dictionary, as long as you mistype them. I have yet to see a password cracker look for the word foobar when it is typed fppnar (right hand off by 1 key). -- Brian Moffet brianm@sco.com {uunet,decvax!microsof}!sco!brianm The opinions expressed are not quite clear and have no relation to my employer. 'Evil Geniuses for a Better Tommorrow!'
markz@ssc.UUCP (Mark Zenier) (07/09/88)
In article <4387@ptsfa.PacBell.COM>, jmc@ptsfa.PacBell.COM (Jerry Carlin) writes: > Somewhere I remember hearing or reading that someone did a study > about typical (bad) password choices and/or what consituted good > password choices. Can anyone give me references? Thanks in advance. It's not a study, but has a good descrition of password pitfalls. Out of the Inner Circle Bill Landreth 1985, Microsoft Press ISBN 0-914845-36-5 Mark Zenier uunet!pilchuck!ssc!markz
master@uop.edu (The President) (07/09/88)
The VMS generates passwords which is a combination very hard to figure out. If anyone is interested in the list let me know and I'll mail it... -Nasser.
csg@pyramid.pyramid.com (Carl S. Gutekunst) (07/09/88)
In article <3375@phri.UUCP> roy@phri.UUCP (Roy Smith) writes: >When assigning passwords for incomming uucp accounts, I just type random >patterns on the keyboard. Or you can try this trivial little jewel. Output looks something like this: a[=lRCuV X4Bb<f?4 HkQE:LpE Suitable for grabbing and stuffing on a Sun or a 630. :-) <csg> _______________________________________________________________________________ /* * randpass.c -- generate really random passwords. For BSD Unixes only. * Includes all ASCII chars '0' through 'z', except '@' and '\\' */ #define PASSCHARS 8 main() { int i, c; char s[PASSCHARS+1]; long random(); srandom((int) time(0)); for (i = 0; i < PASSCHARS; ++i) { while ((c = random() % 75 + '0') == '@' || c == '\\') ; s[i] = c; } s[PASSCHARS] = '\n'; write (1, s, PASSCHARS+1); }
jbn@glacier.STANFORD.EDU (John B. Nagle) (07/09/88)
In article <30453@pyramid.pyramid.com> csg@pyramid.pyramid.com (Carl S. Gutekunst) writes: >/* > * randpass.c -- generate really random passwords. For BSD Unixes only. > * Includes all ASCII chars '0' through 'z', except '@' and '\\' > */ No good. If you know that a password was generated with this algorithm, coming up with good guesses is straightforward. If, as is typical under UNIX, one can test guesses without risk of discovery, this is a reasonably easy technique to crack. If you happen to know when the password was changed, the attack is trivial, of course. John Nagle "Anyone who attempts to generate random numbers by deterministic means is, of course, living in a state of sin." Von Neumann
thad@cup.portal.com (07/10/88)
The following is something pertinent to your question regarding selection of passwords. Because it IS of general interest, I'm posting it; don't know if there ever was a followup, but the suggestions contained herein are good advice nonetheless. Enjoy! thad@cup.portal.com =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= DDN-MGT-BULLETIN 18 NETWORK INFO CENTER for 13 Jan 1984 DCA DDN Program Mgmt Office (415) 859-3695 NIC@SRI-NIC Defense Data Network MANAGEMENT BULLETIN The DDN MANAGEMENT BULLETIN is published by the Network Information Center under DCA contract as a means of communicating official policy, procedures and other information of concern to management personnel at DDN facilities. Back issues may be obtained by FTP from the directory <DDN-NEWS> at SRI-NIC [26.0.0.73 and 10.0.0.51]. ********************************************************************** INTERIM GUIDANCE FOR HOST PASSWORD DISCIPLINE (The following is issued as interim guidance with the intent of issuing permanent mandatory guidance within six months. The instructions in this Management Bulletin should be followed until superceded. Your comments, criticisms, and recommendations for improvement are welcome and should be submitted by netmail to GPARK@DDN1.) --------------- The past two years have seen an increase in the number of unauthorized accesses to ARPANET/MILNET host computers. While many of these penetrations have been relatively benign, there has also been an increase in the number of malicious attacks. In response, some host administrators have implemented effective password systems, while others have not, leaving themselves vulnerable to the hacker community. Analysis of host penetrations reported to DCA has consistently pointed to inadequate host password discipline as the primary weakness making these break-ins possible. Some examples of improper password practices which have permitted successful intrusion are: Passwords which can be logically derived from the users name, such as initials, middle names, parts of names, combinations, etc. Passwords based on proper names (relatives, States, cars, boats, ball teams, beers, etc.) Null passwords (e.g., carriage return for password). Unencrypted password files (where encryption is feasible). Unlimited password attempts permitted without disconnection. Considerable effort has been expended by DCA and by DARPA to develop an effective network access control mechanism without denying required services to legitimate users. The TAC Access Control System (TACACS) Phase 1, an outcome of this effort, becomes operational on the MILNET 17 Jan 1984 with a universal User ID and Access Code (in the TAC Herald) for familiarization purposes, and will be fully implemented February 15, 1984. TACACS is expected to effectively accomplish the task it is designed for. It must not, however, be viewed as a complete solution to the problem, since, as its name implies, it only protects against intrusion via TAC ports. It provides no protection against penetration via host backside dial-ins. TACACS is like a fence built only around the front yard. It remains the responsibility of each host to extend the fence around the backside. It is imperative that host managers examine their facilities and implement the improvements needed to correct the weaknesses discovered. A survey of hosts which do have good password discipline reveals some effective practices which can be applied elsewhere. Either of the following two options are recommended as a minimum, with Option One preferred. OPTION ONE: Discontinue the practice of allowing users to select their own passwords, and, instead, issue passwords consisting of at least 8 alphanumeric characters. If possible, passwords should be machine generated and distributed to preclude viewing by persons other than the intended recipient. Disable routines which permit the user to change his password once issued unless the changed password is also machine generated. Change and reissue passwords at least annually. It is recommended that passwords be pronounceable. OPTION TWO: Develop and implement a password filter routine which will be automatically invoked whenever a password is changed, and which will reject any unacceptable user selected password. When the password filter is implemented, require existing passwords to be changed to insure all passwords pass the test of acceptability. A password may be considered acceptable if it does not fall into any of the unacceptable password categories listed below. UNACCEPTABLE PASSWORDS: - Null passwords, i.e., carriage return for password - Passwords of less than eight characters - Passwords which can be found in the English dictionary - Proper names for passwords - Passwords which are permutations of the user's name, account number, etc. Anonymous/guest passwords, although acceptable, are discouraged on most machines. Hosts which do allow this convention must insure that adequate internal safeguards exist to limit usage to only that which is intended. Whichever of the two options above are chosen, all hosts should also implement automatic routines to provide for the following. - Provide 30 day advance notice of the password expiration date. Coupled with the notice should be a message explaining to the user the standards for password selection and the reasons for requiring strict password discipline. Upon expiration of the password the user should be allowed to log-in with the expired password, but only for the purpose of changing the password. - Encryption of password files is strongly encouraged on those machines where, in the judgement of host managers, it will produce a true gain in security. - All unsuccessful log-in attempts (Server TELNET, Server FTP, regular log-in, etc.) should be logged and periodically reviewed. If the machine is attended by an operator, the operator should be notified. A notice of unsuccessful attempts should be published to the account user at the time of the next successful log-in. - Auto-disconnect should occur after no more than three unsuccess- ful log-in attempts. This is regardless of the means of accessing the machine. It is a standing requirement that the DDN be used for official Federal Government business only. Activities operating host computers on the DDN must insure that utilization of their facilites, via the network, meets this requirement. Netwide adoption of the standards and practices requested in this bulletin will substantually reduce the susceptability of individual hosts to successful penetration by unauthorized users. Simultaneously, the opportunity for any given host to be used as an avenue into the network for penetration of other hosts will be correspondingly reduced. -------END OF MESSAGE-------
todd@uop.edu (Dr. Nethack a.k.a Race Bannon ) (07/10/88)
In article <377@mfgfoc.UUCP>, exodus@mfgfoc.UUCP (Greggie-boy Onufer) writes: > And aside from the password choices listed, also commonly used > are keyboard patterns: qwerty, asdfg, etc. > > Please: DO NOT USE WORDS FOUND IN THE UNIX SYSTEM DICTIONARY. FOR THAT > MATTER, PLEASE DO NOT USE REAL WORDS AS FOUND IN ANY DICTIONARY. I HAVE > FIRST-HAND KNOWLEDGE OF A USER AT OUR SITE WHO MAILED OUR PASSWORD FILE > TO A FRIEND, AND, WITHIN A WEEK, RECEIVED A LIST OF ALL THE PASSWORDS THAT > WERE REASONABLE!!!! Get it right, it was turnaround in 2 days tops! > Commosense helps: use at least one digit, mix upper and lower case > if your system allows you to. A digit in the middle of the word will > effectively foul up any brute force dictionary-type search. With mods, will run on metacharacters as well. You are just nervous that someone else might get into your files!! I wonder why?? (another story) Besides.. getting root here takes no longer than 5 minutes, if you know how. > Disclaimer: I disclaim. Disclaimer: this was'nt me! > exodus@mfgfoc ...!sun!daver!mfgfoc!exodus (and postmaster/exodus@uop.edu) > AT&T: 415-965-0604 USMAIL: #901 1929 Crisanto Ave, Mtn View, CA 94040 I guess you are happy, you are in mountain view now!
mparker@chip.UUCP (M. D. Parker) (07/11/88)
With all this talk about "good" passwords, might I suggest that you look in a relatively short manual from the NCSC concerning Passwords. It gives some interesting insights. If somebody here had not borrowed my NCSC manual set, I could give you the number. When I got it the color was a nice Flor. Green color (maybe called the Green Book?). =============================================================================== M. D. Parker ARPANet: chip!mparker@nosc.mil UNIX Systems Manager UUCP: ...{ucsd,nosc,hp-sdd,crash}!chip!mparker Phone: (619) 457-2340 USPS: M/A-COM Government Systems, 3033 Science Park Road, San Diego, CA 92121 Disclaimer: Opinions expressed are my own and not necessarily that of M/A-COM Government Systems Inc.
inc@tc.fluke.COM (Gary Benson) (07/12/88)
Well, I got all security conscious reading about passwords, decided that I'd better change mine. In doing so, however, it occurred to me that one aspect of this discussion hardly ever gets mentioned: how to REMEMBER what you've changed it to. Herewith a few ideas to start things off: 1. Don't change your password on a Friday unless you write it down and put it in that secret compartment in your wallet. 2. If you write it down as a reminder, encode it somehow. For example, if you choose the first letter of the words making up a sentence, write a permutation of the sentence. Here's what I mean: say your password is TitdwtLhm (This is the day which the Lord hath made), you could put on your "TODO" list, "Remind Rev. Ike about psalm 37". 3. Use the same "style" of password. For example, you might use biblical references one month, David Letterman quotes for a while, names of trees, streets in New York City, parts of a flower, and so on. Any other ideas about how to remember what you changed to? I seem always to break my first rule and change it on a Friday. Monday morning comes and I'm all set to login, and BANG - mental block because I never write it down. -- Gary Benson -_-_-_-_-_-_-_-_-inc@tc.fluke.com_-_-_-_-_-_-_-_-_-_ Publication Services Ensign Benson, Space Cadet, Digital Circus, Sector R John Fluke Mfg. Co. Inc. _-_-_-_{uw-beaver, sun,microsoft}!fluke!inc-_-_-_-_-
karl@haddock.ISC.COM (Karl Heuer) (07/13/88)
In article <4396@fluke.COM> inc@tc.fluke.COM (Gary Benson) writes: >Any other ideas about how to remember what you changed to? I use a different password on each of my major accounts. I have a program that, given N-1 of the passwords, will output the missing one. So I'm safe until I forget two passwords at the same time. (No, the program itself doesn't know my passwords. It only knows the XOR of a base-95 encoding of them. The source code and data file are readable.) Karl W. Z. Heuer (ima!haddock!karl or karl@haddock.isc.com), The Walking Lint