trt@rti-sel.UUCP (08/03/84)
NEVER TRUST A PASSWORD GENERATOR The 'randpasswd' program generates too few different passwords. The version that uses gettimeofday(II) tends to pick one of ~4000. Thus it is easy prey for the exhaustive search attack. (The one that uses getpid(II)/time(II) is more subtly flawed. Except it has a huge flaw if '-w' is omitted!) I suppose this sounds like an attack on randpasswd (sorry), but actually it is a flame against UNIX programs which purport to generate unguessable random numbers (dice rollers, card shufflers, rogue, and so on.) Randpasswd seeds the random number generator with the tv_usec (microseconds) returned by gettimeofday(II). Alas, since the VAX has a 100HZ clock tv_usec only takes on one of 100 values! Actually, randpasswd calls gettimeofday several times so the various tv_usec may differ (but rarely by much). PSUEDO FIXES Randpasswd could be beefed up by replacing references to tv_usec with tv_usec ^ tv_sec ^ getpid() /* '^' is exclusive or */ but that has its problems too. For example, if I used it to determine my password a Bad Guy could look at the modification time of /etc/passwd (or look at my file access times or run 'lastcomm') to get a good guess for the time (tv_sec) at which I ran randpasswd. The process id (getpid) can be similarly guessed. Indeed almost anything randpasswd might try to use for a seed can be second guessed by a Bad Guy. A PROPOSED FIX Arcade video games use response times as a source of randomness, often using a rapidly incrementing counter rather than a real clock. This can be done on UNIX by asking the user to press <INTERRUPT> and then madly incrementing a counter until the interrupt comes in. That is probably good for at least 10 low-order bits of randomness, so to get a thirty-bit random number this should be done three times. (If the "user" above is actually an anti-random program written by a Bad Guy then extra care is needed to ensure a random count.) I know it sounds bizarre, but what else is there? OTHER FIXES Randpasswd could be made to work if it had access to a source of unguessable numbers. Real microseconds (1e6 of them) would help. Or new system call that returned a true random number (implementation to be left up to the kernel/hardware people). A syscall (or setuid program) that returned the non-reversible encryption of a secretly maintained sequence number would also do it. (Keeping the sequence number secret is a major problem.) Tom Truscott
charles@utastro.UUCP (08/07/84)
Tom Truscott makes some cogent and useful remarks concerning
the password generator "randpasswd" and password protection
in general.
First, the fact that the 4.2BSD version of "randpasswd" uses
tv_usec as the seed is indeed a typo. I have corrected our verion here to
use tv_sec instead and I urge everyone who picked up the source
to do so also. I didn't post the fix because I didn't believe
there was enough interest, and didn't want to add more cruft to
the net.
The suggestion Tom makes about using
tv_usec ^ tv_sec ^ getpid()
is good and should be implemented in your version ASAP.
I am hesitant to recommend his suggestion about incrementing a counter
until the program receives an interrupt, and then using the counter
as a seed because it would require the user to "interact" with the
program and that was not my intent when I wrote it. However, it
is a good suggestion if you don't share my apprehension.
While I share Tom's mistrust of password generators (mine included)
I believe that using a generated password like eCNrbU01 is preferable
and more secure than using your-name-spelled-backwards or your-wife's-name
or your-address or anything that is likewise easily guessed by "casual"
Bad-Guy password breakers.
Although using "randpasswd" has security risks of which users should
be made aware, it does help the "average user" come up with something
more "secure" than some of the obvious schemes listed above.
A deadbolt on a door will not stop a Bad Guy with dynamite, but it
will deter most "casual" illegal entry. Using a password generated
by "randpasswd" is not fool-proof, but its better than many more
obvious schemes, especially if "beefed-up" according to Tom's
suggestions.
(Mostly, though, it was fun to write!)
--
*>> Charles Sandel <<*
uucp: {ut-sally, ut-ngp, noao, charm}!utastro!charles
arpa: charles@utastro.UTEXAS.ARPA charles@ut-sally.UTEXAS.ARPA
at&t: (512) 471-4461 x439charles%utastro.UTEXAS@UT-SALLY.ARPA (08/16/84)
From: Charles Sandel <charles%utastro.UTEXAS@UT-SALLY.ARPA> Don't use it then.
honey@down.FUN (08/17/84)
oh yes, BeethovenDucks is a *very* secure passwd -- as are the rest of the strings in /usr/dict/words. (crypt admits 8 significant characters, Beethoven is in the dictionary.) down here on down, we are very careful to use an obscure root passwd -- 8 tabs. (we like auto-repeat.) what's *your* root passwd? are you macho enough to post it? making network history, north/honey
pep@down.FUN (08/18/84)
* down's root password has been internationally compromised! * Needless to say, the perpetrators have been severely punished. After forcing them to read every article about Stonehenge at 300 baud, they were obliged to create a sendmail config file (without consulting a sample). They were removed from the premises in straitjackets by qualified attendants in white coats. Their communication lines have been cut, their bits scattered. They are banished from the FUN domain. pep (down!root) PS - Since I couldn't think of a better root password, I've eliminated it altogether.
steve@BRL-BMD.ARPA (08/21/84)
From: Stephen Wolff <steve@BRL-BMD.ARPA> >> I believe that using a generated password like eCNrbU01 is >> preferable and more secure than using your-name-spelled-backwards >> or your-wife's-name or your-address or ...... It still stinks! Because something marvelous like eCNrbU01 is VERY likely to be written down on a scrap of paper when Jane Q. User receives it from your wonderful random gibberish generator, and then the scrap of paper will get lost somewhere and one day a Bad Guy WILL find it and run through all your user names until he finds the match. 'Course, YOU can feel good about it because YOU didn't lose the scrap of paper; it's after all ol' Jane Q.'s OWN dumb fault, and Sheesh when will those lusers learn anyway, right? I think random, down-from-on-high passwords are a holdover from the bad old days of supercilious computer center white-coats. We let our users pick their own passwords, and enforce a few of the more obvious caveats. I claim that one of my old passwords which was NEVER (until now) written down was in practice MORE secure than eC-what-have-you. It was BeethovenDucks (never-you-mind why I found it easy to remember). -s
steve@BRL-BMD.ARPA@sri-unix.UUCP (08/23/84)
From: Stephen Wolff <steve@BRL-BMD.ARPA> Sorry. On this UNIX BeethovenDucks is not broken by any (proper) substring.